This repository is currently being migrated. It's locked while the migration is in progress.
-
Notifications
You must be signed in to change notification settings - Fork 12
Ce 12885 add weeekly security audit #13302
Open
cachelina
wants to merge
20
commits into
develop
Choose a base branch
from
ce-12885-add-weeekly-security-audit
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 11 commits
Commits
Show all changes
20 commits
Select commit
Hold shift + click to select a range
f88495f
workflow: add new security audit
cachelina 036b8f2
chore: debugging
cachelina a91cb54
play
cachelina 980facb
playtwo
cachelina c248010
playyyy
cachelina eef4701
playyy
cachelina db23af6
test: to rerun yarn audit
cachelina 9ea5c81
chore: remove on push, and update slack channel va-mobile-app-alerts
cachelina 8d2e543
chore: remove uneeded changes to oncall file
cachelina 295a677
chore: update versions to SHA, and test on push
cachelina a56f465
chore: bring back schedule cron and workflow dispatch
cachelina 896810f
add no document flag to vtk install and test on push
cachelina bf94d49
chore: add secret inherit credentials for slack notification
cachelina cbc3880
chore: remove copilot suggestion
cachelina 516f6b0
Merge branch 'develop' into ce-12885-add-weeekly-security-audit
cachelina b27e99d
chore: update input for start slack thread to channel_id
cachelina c2ca16b
chore: add on push to test job
cachelina 677d523
chore: add retries to run vtk scan
cachelina 60a99c8
chore: remove retry
cachelina bbb696d
chore: remove on push, update channel ID to alerts
cachelina File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| # Runs weekly security audits against the develop branch. | ||
| # Executes yarn audit to check dependencies for known vulnerabilities | ||
| # and vtk scan to check the repository for signs of active supply chain malware infection. | ||
|
|
||
| name: '[Security] Weekly Security Audit' | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: '0 8 * * 1' # Every Monday @ 8:00 AM UTC | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| # Commenting out until dependabot PRs are merged and we can be sure the audit runs without errors | ||
| # yarn_audit: | ||
| # name: Yarn Dependency Audit | ||
| # runs-on: ubuntu-latest | ||
| # steps: | ||
| # - name: Checkout develop branch | ||
| # uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 | ||
| # with: | ||
| # ref: develop | ||
|
|
||
| # - name: Setup Node.js | ||
| # uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 | ||
| # with: | ||
| # node-version-file: 'VAMobile/.nvmrc' | ||
|
|
||
| # - name: Install dependencies | ||
| # uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 | ||
| # with: | ||
| # max_attempts: 3 | ||
| # timeout_minutes: 10 | ||
| # command: cd VAMobile && yarn install --ignore-scripts --frozen-lockfile --non-interactive | ||
|
|
||
| # - name: Run yarn audit | ||
| # run: yarn audit | ||
| # working-directory: VAMobile | ||
|
|
||
|
cachelina marked this conversation as resolved.
|
||
| vtk_scan: | ||
| name: VTK Repository Scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout develop branch | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 | ||
| with: | ||
| ref: develop | ||
|
|
||
| - name: Setup Ruby | ||
| uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f | ||
| with: | ||
| ruby-version: '3.3' | ||
|
|
||
| - name: Install VTK | ||
| run: gem install vtk | ||
|
cachelina marked this conversation as resolved.
|
||
|
|
||
| - name: Run VTK scan | ||
| run: vtk scan repo -r | ||
|
|
||
| notify_slack: | ||
| name: Send Slack notification for security issues | ||
| needs: vtk_scan | ||
| if: ${{ failure() }} | ||
| uses: ./.github/workflows/start_slack_thread.yml | ||
|
cachelina marked this conversation as resolved.
|
||
| with: | ||
| channel_name: va-mobile-app-alerts | ||
| message: | | ||
| :rotating_light: Weekly Security Audit Failed :rotating_light: | ||
| *Branch:* develop | ||
| One or more security scans reported issues against the `develop` branch. | ||
| <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View workflow run for details> | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.