adding secops policies

initcron · initcron · commit 4817772519b6 · 2025-12-10T14:36:21.000+05:30
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,10 +8,15 @@ env:
   REGISTRY: docker.io
   IMAGE_NAME: ${{ secrets.DOCKERHUB_USERNAME }}/tech-stack-advisor
 
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
-    
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -30,7 +35,7 @@ jobs:
       run: python train.py
 
     - name: Test application
-      run: | 
+      run: |
         # Check if model files were created
         if [ -f "model.pkl" ] && [ -f "encoders.pkl" ]; then
           echo "✅ Model files created successfully"
@@ -50,7 +55,10 @@ jobs:
   docker-build:
     needs: build-and-test
     runs-on: ubuntu-latest
-    
+    outputs:
+      image-digest: ${{ steps.build.outputs.digest }}
+      image-tags: ${{ steps.meta.outputs.tags }}
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -82,6 +90,7 @@ jobs:
 
     - name: Build and push multi-architecture image
       uses: docker/build-push-action@v6
+      id: build
       with:
         context: .
         platforms: linux/amd64,linux/arm64
@@ -100,3 +109,101 @@ jobs:
         echo "| Platforms | linux/amd64, linux/arm64 |" >> $GITHUB_STEP_SUMMARY
         echo "| Tags | ${{ steps.meta.outputs.tags }} |" >> $GITHUB_STEP_SUMMARY
         echo "| Registry | Docker Hub |" >> $GITHUB_STEP_SUMMARY
+
+  security-scan:
+    needs: docker-build
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Trivy
+      run: |
+        sudo apt-get update
+        sudo apt-get install wget apt-transport-https gnupg lsb-release
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+        echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update
+        sudo apt-get install trivy
+
+    - name: Log in to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Run Trivy vulnerability scan
+      run: |
+        echo "🔍 Running Trivy vulnerability scan..."
+        trivy image \
+          --format sarif \
+          --output trivy-results.sarif \
+          ${{ env.IMAGE_NAME }}:latest
+
+    - name: Run Trivy vulnerability scan (table format)
+      run: |
+        echo "🔍 Running Trivy scan for human-readable output..."
+        trivy image \
+          --format table \
+          --output trivy-results.txt \
+          ${{ env.IMAGE_NAME }}:latest
+
+    - name: Generate SBOM with Trivy
+      run: |
+        echo "📋 Generating SBOM with Trivy..."
+        trivy image \
+          --format spdx-json \
+          --output sbom.spdx.json \
+          ${{ env.IMAGE_NAME }}:latest
+
+    - name: Check for HIGH and CRITICAL vulnerabilities
+      id: vuln-check
+      run: |
+        echo "🚨 Checking for HIGH/CRITICAL vulnerabilities..."
+
+        # Count HIGH and CRITICAL vulnerabilities
+        HIGH_COUNT=$(trivy image --format json ${{ env.IMAGE_NAME }}:latest | jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH")] | length')
+        CRITICAL_COUNT=$(trivy image --format json ${{ env.IMAGE_NAME }}:latest | jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length')
+
+        echo "high-count=$HIGH_COUNT" >> $GITHUB_OUTPUT
+        echo "critical-count=$CRITICAL_COUNT" >> $GITHUB_OUTPUT
+
+        echo "Found $CRITICAL_COUNT CRITICAL and $HIGH_COUNT HIGH severity vulnerabilities"
+
+        # Display summary
+        echo "## 🔒 Security Scan Results" >> $GITHUB_STEP_SUMMARY
+        echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
+        echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
+        echo "| CRITICAL | $CRITICAL_COUNT |" >> $GITHUB_STEP_SUMMARY
+        echo "| HIGH | $HIGH_COUNT |" >> $GITHUB_STEP_SUMMARY
+
+    - name: Security gate - Fail on CRITICAL vulnerabilities
+      if: steps.vuln-check.outputs.critical-count > 5
+      run: |
+        echo "❌ SECURITY GATE FAILED: Found ${{ steps.vuln-check.outputs.critical-count }} CRITICAL vulnerabilities"
+        echo "🚨 Build blocked due to critical security issues"
+        exit 1
+
+    - name: Security gate - Warn on HIGH vulnerabilities
+      if: steps.vuln-check.outputs.high-count > 5
+      run: |
+        echo "⚠️  WARNING: Found ${{ steps.vuln-check.outputs.high-count }} HIGH severity vulnerabilities"
+        echo "💡 Consider reviewing and addressing these vulnerabilities"
+
+    - name: Upload security artifacts
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: security-reports
+        path: |
+          trivy-results.sarif
+          trivy-results.txt
+          sbom.spdx.json
+
+    - name: Upload SARIF results to GitHub Security
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: trivy-results.sarif
+        category: trivy
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,12 @@
+# .trivyignore
+# Trivy ignore file for known false positives or accepted risks
+
+# Example: Ignore specific CVE that doesn't affect our use case
+# CVE-2023-12345
+
+# Example: Ignore vulnerabilities in specific packages
+# pkg:pypi/package-name@version
+
+# Note: Only ignore vulnerabilities after proper risk assessment
+@initcron
+Comment
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,84 @@
+# Security Policy
+
+## Vulnerability Scanning
+
+This project uses automated security scanning as part of our CI/CD pipeline to ensure container images are free from known vulnerabilities.
+
+### Scanning Tools
+
+- **Trivy**: Primary vulnerability scanner for container images
+- **SBOM Generation**: Software Bill of Materials for supply chain transparency
+- **GitHub Security**: Integration with GitHub's security features
+
+### Security Gates
+
+Our CI pipeline implements the following security gates:
+
+| Severity | Action |
+|----------|--------|
+| CRITICAL | ❌ **Block deployment** - Build fails immediately |
+| HIGH | ⚠️ **Warning** - Logged but build continues if < 5 vulnerabilities |
+| MEDIUM/LOW | ✅ **Allow** - Logged for monitoring |
+
+### Security Artifacts
+
+Each build generates:
+
+1. **SARIF Report** - Uploaded to GitHub Security tab
+2. **Human-readable Report** - Stored as build artifact
+3. **SBOM (SPDX)** - Software Bill of Materials
+4. **Vulnerability Database** - Updated regularly
+
+### Customizing Security Thresholds
+
+To modify security gates, update the CI workflow:
+
+```yaml
+# Example: Block on 3+ HIGH vulnerabilities instead of 5
+- name: Security gate - Warn on HIGH vulnerabilities
+  if: steps.vuln-check.outputs.high-count > 3
+```
+
+### Vulnerability Management
+
+1. **Critical/High Issues**: Must be addressed before deployment
+2. **Medium Issues**: Addressed in next sprint
+3. **Low Issues**: Monitored and addressed during maintenance windows
+
+### Reporting Security Issues
+
+If you discover a security vulnerability, please report it to:
+- Email: security@yourcompany.com
+- Create a private security advisory on GitHub
+
+### Updates and Maintenance
+
+- Vulnerability database updated daily
+- Security policies reviewed quarterly
+- SBOM generated for every release
+
+## Supply Chain Security
+
+### SBOM (Software Bill of Materials)
+
+Every container image includes:
+- All installed packages and versions
+- Dependency relationships
+- License information
+- Source repositories
+
+### Image Signing
+
+Consider implementing image signing for production deployments:
+
+```bash
+# Example with Cosign
+cosign sign --key cosign.key $IMAGE_TAG
+```
+
+### Base Image Security
+
+- Use minimal base images (python:3.11-slim)
+- Regular base image updates
+- Non-root container execution
+- Read-only root filesystem when possible
