Merge pull request #16 from move-elevator/security-checks

Konrad Michalik · web-flow · commit a280c6ff8f33 · 2025-09-22T16:23:45.000+02:00
feat: add scheduled security checks for Composer and NPM
diff --git a/.gitlab-ci.yml.dist b/.gitlab-ci.yml.dist
@@ -28,14 +28,15 @@ include:
   - 'https://raw.githubusercontent.com/move-elevator/gitlab-ci-templates/main/test/test-prod-codeception.yaml'
   - 'https://raw.githubusercontent.com/move-elevator/gitlab-ci-templates/main/cache/cache-feature-warmup.yaml'
   - 'https://raw.githubusercontent.com/move-elevator/gitlab-ci-templates/main/cache/cache-prod-warmup.yaml'
+  - 'https://raw.githubusercontent.com/move-elevator/gitlab-ci-templates/main/security/security-composer-check-scheduled.yaml'
+  - 'https://raw.githubusercontent.com/move-elevator/gitlab-ci-templates/main/security/security-npm-check-scheduled.yamll'
 
 #-----------------------------------------------------------------------------------------------------------------------
 # CONFIGURATION (overrides)
 #-----------------------------------------------------------------------------------------------------------------------
 variables:
   BUILD_COMPOSER_VERSION: "2.8"
   BUILD_NODE_VERSION: "22"
-  FEATURE_BRANCH_NAME_REGEX: '^JIRA-.*$'
   # SSH configuration
   SSH_USER_STAGE:
   SSH_HOST_STAGE:
diff --git a/README.md b/README.md
@@ -111,6 +111,17 @@ Includes:
 - `cache/cache-feature-warmup.yaml`
 - `cache/cache-prod-warmup.yaml`
 
+### Security
+
+Run security checks using `audit` tools.
+
+Includes:
+- `security/security-composer-check-scheduled.yaml`
+- `security/security-npm-check-scheduled.yaml`
+
+> [!NOTE]
+> Needs to be scheduled in GitLab-CI.
+
 ## ⭐ License
 
 This project is licensed under [GNU General Public License 3.0 (or later)](LICENSE).
diff --git a/security/security-composer-check-scheduled.yaml b/security/security-composer-check-scheduled.yaml
@@ -0,0 +1,25 @@
+# Purpose:
+#   Analyze job for scanning for security vulnerabilities running within a gitlab schedule
+#
+# Dependency:
+#   Deployer task "security:check:composer"
+#
+security:composer:check:scheduled:
+  stage: analyse
+  extends:
+    - .base-schedule
+  dependencies: [ ]
+  cache:
+    key: security-$CI_JOB_NAME-$CI_COMMIT_REF_NAME
+    paths:
+      - vendor/xima/xima-deployer-tools/deployer/security/
+  variables:
+    GIT_STRATEGY: fetch
+  script:
+    - !reference [.check-deployment-dependencies, script]
+    - vendor/bin/dep security:check:composer local --notify $DEPLOYER_CONFIG_ADDITIONAL_OPTION
+  rules:
+    - if: $CI_JOB_NAME == $SCHEDULE_TASK_NAME
+      when: always
+    - when: never
+  resource_group: $CI_COMMIT_REF_NAME
diff --git a/security/security-npm-check-scheduled.yaml b/security/security-npm-check-scheduled.yaml
@@ -0,0 +1,25 @@
+# Purpose:
+#   Analyze job for scanning for security vulnerabilities running within a gitlab schedule
+#
+# Dependency:
+#   Deployer task "security:check:npm"
+#
+security:npm:check:scheduled:
+  stage: analyse
+  extends:
+    - .base-schedule
+  dependencies: [ ]
+  cache:
+    key: security-$CI_JOB_NAME-$CI_COMMIT_REF_NAME
+    paths:
+      - vendor/xima/xima-deployer-tools/deployer/security/
+  variables:
+    GIT_STRATEGY: fetch
+  script:
+    - !reference [.check-deployment-dependencies, script]
+    - vendor/bin/dep security:check:npm local --notify $DEPLOYER_CONFIG_ADDITIONAL_OPTION
+  rules:
+    - if: $CI_JOB_NAME == $SCHEDULE_TASK_NAME
+      when: always
+    - when: never
+  resource_group: $CI_COMMIT_REF_NAME
