-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (113 loc) · 3.8 KB
/
ci.yml
File metadata and controls
130 lines (113 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: CI
on:
pull_request:
push:
branches:
- master
jobs:
build:
name: Build and Test
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
node-version: [22.x]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: 'package-lock.json'
- name: Install dependencies (monorepo)
run: npm ci --workspaces
- name: Build shared package
run: npm run build:shared
- name: Build truvera-api
run: npm run build:api
- name: Build wallet-server
run: npm run build --workspace=apps/wallet-server
- name: Run tests (truvera-api)
run: npm run test -- --run
working-directory: apps/truvera-api
- name: Run tests (mcp-shared)
run: npm run test -- --run
working-directory: packages/mcp-shared
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build truvera-api image for scanning
uses: docker/build-push-action@v6
with:
context: .
file: ./apps/truvera-api/Dockerfile
load: true
tags: truvera-api-mcp:ci
build-args: |
BUILD_NUMBER=${{ github.run_number }}
- name: Scan truvera-api image for HIGH and CRITICAL vulnerabilities
id: trivy_scan
continue-on-error: true
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: truvera-api-mcp:ci
format: table
output: trivy-results.txt
ignore-unfixed: true
severity: HIGH,CRITICAL
exit-code: '1'
- name: Add Trivy report to job summary
if: always()
run: |
{
echo "## Trivy Image Scan"
echo
if [ "${{ steps.trivy_scan.outcome }}" = "failure" ]; then
echo "**Status:** FAILED (HIGH/CRITICAL vulnerabilities found)"
else
echo "**Status:** PASSED (no HIGH/CRITICAL vulnerabilities found)"
fi
echo
echo "<details><summary>Full Trivy output</summary>"
echo
echo '```text'
cat trivy-results.txt
echo '```'
echo "</details>"
} >> "$GITHUB_STEP_SUMMARY"
- name: Generate Trivy SARIF report
if: always()
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: truvera-api-mcp:ci
format: sarif
output: trivy-results.sarif
ignore-unfixed: true
severity: HIGH,CRITICAL
exit-code: '0'
- name: Upload Trivy SARIF to GitHub Security
id: trivy_sarif_upload
continue-on-error: true
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-results.sarif
category: trivy-container-scan
- name: Add SARIF upload status to job summary
if: always()
run: |
if [ "${{ steps.trivy_sarif_upload.outcome }}" = "failure" ]; then
echo >> "$GITHUB_STEP_SUMMARY"
echo "## SARIF Upload" >> "$GITHUB_STEP_SUMMARY"
echo >> "$GITHUB_STEP_SUMMARY"
echo "SARIF upload was skipped or failed. GitHub code scanning may not be enabled for this repository." >> "$GITHUB_STEP_SUMMARY"
fi
- name: Fail job if Trivy found HIGH/CRITICAL issues
if: steps.trivy_scan.outcome == 'failure'
run: |
echo "Trivy detected HIGH/CRITICAL vulnerabilities. See job summary and Security tab for details."
exit 1