Audityzer/.github/workflows/quality-gates.yml at safe-improvements · romanchaa997/Audityzer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

name: Security Quality Gates

on:
  push:
    branches: [ main, develop, safe-improvements ]
  pull_request:
    branches: [ main, develop ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    name: Security Scanning

    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Run security audit
      run: npm audit --audit-level=moderate

    - name: CodeQL Analysis
      uses: github/codeql-action/init@v3
      with:
        languages: javascript

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3

    - name: SAST Scan with Semgrep
      uses: returntocorp/semgrep-action@v1
      with:
        config: >-
          p/security-audit
          p/secrets
          p/owasp-top-ten

    - name: Dependency Check
      uses: dependency-check/Dependency-Check_Action@main
      with:
        project: 'Audityzer'
        path: '.'
        format: 'ALL'

    - name: Upload security results
      uses: actions/upload-artifact@v4
      with:
        name: security-scan-results
        path: reports/

  code-quality:
    runs-on: ubuntu-latest
    name: Code Quality Check

    steps:
    - uses: actions/checkout@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Run ESLint
      run: npm run lint

    - name: Run tests with coverage
      run: npm run test:coverage

    - name: SonarCloud Scan
      run: |
        echo "SonarCloud scan would run here"
        echo "Skipping SonarCloud scan - token not configured"
      continue-on-error: true

  security-policy-check:
    runs-on: ubuntu-latest
    name: Security Policy Validation

    steps:
    - uses: actions/checkout@v4

    - name: Check security policy compliance
      run: |
        echo "Validating security policies..."
        # Check for required security files
        test -f SECURITY.md && echo "✅ SECURITY.md found" || echo "⚠️ SECURITY.md not found"
        test -f .github/SECURITY.md && echo "✅ .github/SECURITY.md found" || echo "⚠️ .github/SECURITY.md not found"

        # Validate security configuration
        test -f .github/dependabot.yml && echo "✅ dependabot.yml found" || echo "⚠️ dependabot.yml not found"

        # Check for security headers in web configs
        grep -r "Content-Security-Policy" . || echo "Warning: CSP headers not found"

        echo "Security policy validation completed"

  vulnerability-assessment:
    runs-on: ubuntu-latest
    name: Vulnerability Assessment

    steps:
    - uses: actions/checkout@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Run Snyk vulnerability scan
      run: |
        echo "Snyk vulnerability scan would run here"
        echo "Skipping Snyk scan - token not configured"
        npm audit --audit-level=moderate || echo "npm audit completed with warnings"
      continue-on-error: true

    - name: OWASP ZAP Baseline Scan
      run: |
        echo "OWASP ZAP baseline scan would run here"
        echo "Skipping ZAP scan - requires running application"
        echo "✅ Vulnerability assessment placeholder completed"
      continue-on-error: true