Security #69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| - cron: '0 2 * * *' # Daily at 2 AM UTC | |
| jobs: | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.1' | |
| extensions: mbstring, xml, curl, json, pdo, pdo_mysql, redis | |
| - name: Install Composer dependencies | |
| run: composer install --prefer-dist --no-progress --no-interaction | |
| - name: Run security audit | |
| run: | | |
| composer audit --format=plain | |
| composer outdated --direct --minor-only | |
| - name: Run Semgrep | |
| uses: returntocorp/semgrep-action@v1 | |
| with: | |
| config: >- | |
| p/security-audit | |
| p/secrets | |
| p/php | |
| p/owasp-top-ten | |
| - name: Run CodeQL Analysis | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: php | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/php@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| - name: Upload Snyk results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: snyk.sarif | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: moderate | |
| secret-scan: | |
| name: Secret Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: main | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| container-scan: | |
| name: Container Security Scan | |
| runs-on: ubuntu-latest | |
| needs: security-scan | |
| if: github.event_name == 'push' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Build Docker image | |
| run: | | |
| docker build -t rechain-dao:latest . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'rechain-dao:latest' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| api-security-test: | |
| name: API Security Test | |
| runs-on: ubuntu-latest | |
| needs: security-scan | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install OWASP ZAP Baseline | |
| run: | | |
| wget https://github.com/zaproxy/zaproxy/releases/download/v2.14.0/ZAP_2.14.0_Linux.tar.gz | |
| tar -xvf ZAP_2.14.0_Linux.tar.gz | |
| chmod +x ZAP_2.14.0/zap.sh | |
| - name: Start application for testing | |
| run: | | |
| docker-compose -f docker-compose.test.yml up -d | |
| sleep 30 | |
| - name: Run OWASP ZAP Baseline Scan | |
| run: | | |
| ./ZAP_2.14.0/zap.sh -cmd -quickurl http://localhost:8080 -quickprogress -cmd | |
| - name: Stop test environment | |
| run: | | |
| docker-compose -f docker-compose.test.yml down | |
| - name: Upload ZAP results | |
| uses: actions/upload-artifact@v6 | |
| if: always() | |
| with: | |
| name: zap-report | |
| path: zap-report.html |