Security Scan #133
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run security scan daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| frontend-security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18.x' | |
| cache: 'npm' | |
| cache-dependency-path: 'package-lock.json' | |
| - name: Clear npm cache and install dependencies | |
| run: | | |
| npm cache clean --force | |
| rm -rf node_modules | |
| npm ci | |
| - name: Run security audit | |
| run: | | |
| npx audit-ci --config .audit-ci.json | |
| echo "Security audit completed" | |
| - name: Scan for secrets | |
| uses: trufflesecurity/trufflehog@main | |
| if: github.event_name == 'pull_request' | |
| with: | |
| path: ./ | |
| base: ${{ github.event.pull_request.base.sha }} | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| - name: Scan for secrets (push event) | |
| uses: trufflesecurity/trufflehog@main | |
| if: github.event_name == 'push' | |
| with: | |
| path: ./ | |
| extra_args: --debug --only-verified | |
| backend-security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.9' | |
| - name: Install dependencies | |
| working-directory: ./backend-api | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install safety bandit | |
| - name: Run safety check | |
| working-directory: ./backend-api | |
| run: | | |
| safety check --json --output safety-report.json || echo "Security vulnerabilities found" | |
| - name: Run bandit security linter | |
| working-directory: ./backend-api | |
| run: | | |
| bandit -r . -f json -o bandit-report.json || echo "Security issues found in code" | |
| - name: Upload security reports | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-reports | |
| path: | | |
| backend-api/safety-report.json | |
| backend-api/bandit-report.json | |
| container-security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build Docker image | |
| working-directory: ./backend-api | |
| run: | | |
| docker build -t quantflow-backend:security-scan . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'quantflow-backend:security-scan' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| dependency-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/node@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| continue-on-error: true | |
| - name: Run Snyk for Python | |
| uses: snyk/actions/python@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| continue-on-error: true | |
| notify-security-issues: | |
| needs: [frontend-security, backend-security, container-security, dependency-check] | |
| runs-on: ubuntu-latest | |
| if: failure() | |
| steps: | |
| - name: Notify security issues | |
| run: | | |
| echo "🚨 Security scan failed! Please check the logs for vulnerabilities." | |
| echo "Review the security reports and fix any critical issues." |