fix: Remaining audit fixes — dispatch logging, backoff, validation, a… #67
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================= | |
| # Wazuh OpenClaw Autopilot - CI/CD Pipeline | |
| # ============================================================================= | |
| # Runs on push and pull request to main branch | |
| # - Lint: ESLint code quality checks | |
| # - Test: Unit tests with Node.js test runner | |
| # - Security: npm audit for vulnerabilities | |
| # - Build: Docker image build verification | |
| # ============================================================================= | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| NODE_VERSION: "22" | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # Lint | |
| # --------------------------------------------------------------------------- | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: "npm" | |
| cache-dependency-path: runtime/autopilot-service/package-lock.json | |
| - name: Install dependencies | |
| working-directory: runtime/autopilot-service | |
| run: npm ci | |
| - name: Run ESLint | |
| working-directory: runtime/autopilot-service | |
| run: npm run lint --if-present | |
| # --------------------------------------------------------------------------- | |
| # Test | |
| # --------------------------------------------------------------------------- | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: "npm" | |
| cache-dependency-path: runtime/autopilot-service/package-lock.json | |
| - name: Install dependencies | |
| working-directory: runtime/autopilot-service | |
| run: npm ci | |
| - name: Run tests | |
| working-directory: runtime/autopilot-service | |
| run: npm test | |
| # --------------------------------------------------------------------------- | |
| # Security Audit | |
| # --------------------------------------------------------------------------- | |
| security: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: "npm" | |
| cache-dependency-path: runtime/autopilot-service/package-lock.json | |
| - name: Install dependencies | |
| working-directory: runtime/autopilot-service | |
| run: npm ci | |
| - name: Run npm audit | |
| working-directory: runtime/autopilot-service | |
| run: npm audit --audit-level=high | |
| # --------------------------------------------------------------------------- | |
| # Docker Build | |
| # --------------------------------------------------------------------------- | |
| docker: | |
| name: Docker Build | |
| runs-on: ubuntu-latest | |
| needs: [lint, test, security] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./runtime/autopilot-service | |
| push: false | |
| load: true | |
| tags: wazuh-autopilot:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Scan Docker image for vulnerabilities | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| image-ref: wazuh-autopilot:${{ github.sha }} | |
| format: table | |
| exit-code: 1 | |
| severity: CRITICAL,HIGH | |
| # --------------------------------------------------------------------------- | |
| # Policy Validation | |
| # --------------------------------------------------------------------------- | |
| validate-policies: | |
| name: Validate Policies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Validate YAML syntax | |
| run: | | |
| # Install yaml-lint | |
| pip install yamllint | |
| # Validate policy files | |
| yamllint -d relaxed policies/policy.yaml | |
| yamllint -d relaxed policies/toolmap.yaml | |
| - name: Check for placeholder values | |
| run: | | |
| # Warn if placeholders exist (but don't fail - they're expected in templates) | |
| if grep -r "<SLACK_" policies/; then | |
| echo "::warning::Policy files contain placeholder values. Configure before production use." | |
| fi |