Skip to content
DevSecOps Security Pipeline

DevSecOps Security Pipeline #70

Sign in to view logs

DevSecOps Security Pipeline

DevSecOps Security Pipeline #70

Workflow file for this run

.github/workflows/devsecops-pipeline.yml at 256598e
name: DevSecOps Security Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * *' # Scan quotidien à 2h du matin
env:
NODE_VERSION: '18'
DOCKER_IMAGE_NAME: 'devsecops-react-app'
jobs:
security-scan:
name: Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: app/package-lock.json
# 1. SAST - Analyse statique du code
- name: Run SAST with Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: p/ci
outputFormat: sarif
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
continue-on-error: true
# 2. Analyse des dépendances (SCA)
- name: Run npm audit
run: |
cd app
npm audit --audit-level=high
continue-on-error: true
- name: Run OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'devsecops-react-app'
path: 'app'
format: 'HTML'
args: >
--scan app/
--out reports/
--enableRetired
# 3. Analyse des secrets dans le code
- name: Detect Secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
extra_args: --json
# 4. Build Docker Image
- name: Build Docker Image
run: |
cd app
docker build -t ${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} .
# 5. Scan de l'image Docker
- name: Scan Docker Image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
# 6. Tests de sécurité
- name: Run Security Tests
run: |
echo "Running security tests..."
# Tests personnalisés
cd app
npm run test -- --testPathPattern=security
# 7. Security Gate - Décision
- name: Security Gate
id: security-gate
run: |
echo "🔐 SECURITY GATE CHECK"
echo "======================"
# Vérifier si Trivy a trouvé des vulnérabilités critiques
if [ -f "trivy-results.sarif" ]; then
VULN_COUNT=$(grep -c '"level":"error"' trivy-results.sarif || true)
if [ "$VULN_COUNT" -gt 0 ]; then
echo "❌ CRITICAL VULNERABILITIES DETECTED: $VULN_COUNT"
echo "::error::Security gate failed - Critical vulnerabilities found"
exit 1
else
echo "✅ No critical vulnerabilities found"
fi
else
echo "⚠️ No Trivy results found"
fi
echo "::set-output name=status::passed"
# 8. Upload des rapports
- name: Upload Security Reports
if: always()
uses: actions/upload-artifact@v3
with:
name: security-reports
path: |
reports/
trivy-results.sarif
retention-days: 7
quality-check:
name: Code Quality
runs-on: ubuntu-latest
needs: security-scan
if: needs.security-scan.outputs.status == 'passed'
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: |
cd app
npm ci
- name: Run ESLint
run: |
cd app
npx eslint src/ --ext .ts,.tsx --max-warnings 0
- name: Run TypeScript compiler check
run: |
cd app
npx tsc --noEmit
- name: Run Tests
run: |
cd app
npm test -- --coverage --watchAll=false
deploy:
name: Deploy to Staging
runs-on: ubuntu-latest
needs: [security-scan, quality-check]
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Deploy Preview
run: |
echo "🚀 Deploying application..."
echo "Deployment would happen here"
echo "Image: ${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}"
- name: Notify Success
if: success()
run: |
echo "✅ Deployment successful!"
echo "Application is now live with all security checks passed"