chore(deps): bump react-dom and @types/react-dom #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run security scan daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| jobs: | |
| frontend-security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18.x' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run npm audit | |
| run: | | |
| npm audit --audit-level moderate | |
| echo "Security audit completed" | |
| - name: Check for known vulnerabilities | |
| run: | | |
| npx audit-ci --config .audit-ci.json || echo "Vulnerabilities found, check audit results" | |
| - name: Scan for secrets | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: main | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| backend-security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.9' | |
| - name: Install dependencies | |
| working-directory: ./backend-api | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install safety bandit | |
| - name: Run safety check | |
| working-directory: ./backend-api | |
| run: | | |
| safety check --json --output safety-report.json || echo "Security vulnerabilities found" | |
| - name: Run bandit security linter | |
| working-directory: ./backend-api | |
| run: | | |
| bandit -r . -f json -o bandit-report.json || echo "Security issues found in code" | |
| - name: Upload security reports | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-reports | |
| path: | | |
| backend-api/safety-report.json | |
| backend-api/bandit-report.json | |
| container-security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build Docker image | |
| working-directory: ./backend-api | |
| run: | | |
| docker build -t quantflow-backend:security-scan . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'quantflow-backend:security-scan' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| dependency-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/node@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| continue-on-error: true | |
| - name: Run Snyk for Python | |
| uses: snyk/actions/python@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| continue-on-error: true | |
| notify-security-issues: | |
| needs: [frontend-security, backend-security, container-security, dependency-check] | |
| runs-on: ubuntu-latest | |
| if: failure() | |
| steps: | |
| - name: Notify security issues | |
| run: | | |
| echo "🚨 Security scan failed! Please check the logs for vulnerabilities." | |
| echo "Review the security reports and fix any critical issues." |