Benjamin_Boenisch/breakpilot-pwa
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-02-15. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
cf01db2c3cb2be5cdda32ba63c852e397722da32
breakpilot-pwa/admin-v2/.github/workflows/security.yml
BreakPilot Dev 557305db5d
Some checks failed
ci/woodpecker/push/integration Pipeline failed
Details
ci/woodpecker/push/main Pipeline failed
Details
CI/CD Pipeline / Go Tests (push) Has been cancelled
Details
CI/CD Pipeline / Python Tests (push) Has been cancelled
Details
CI/CD Pipeline / Website Tests (push) Has been cancelled
Details
CI/CD Pipeline / Linting (push) Has been cancelled
Details
CI/CD Pipeline / Security Scan (push) Has been cancelled
Details
CI/CD Pipeline / Docker Build & Push (push) Has been cancelled
Details
CI/CD Pipeline / Integration Tests (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / CI Summary (push) Has been cancelled
Details
Security Scanning / Secret Scanning (push) Has been cancelled
Details
Security Scanning / Dependency Vulnerability Scan (push) Has been cancelled
Details
Security Scanning / Go Security Scan (push) Has been cancelled
Details
Security Scanning / Python Security Scan (push) Has been cancelled
Details
Security Scanning / Node.js Security Scan (push) Has been cancelled
Details
Security Scanning / Docker Image Security (push) Has been cancelled
Details
Security Scanning / Security Summary (push) Has been cancelled
Details
Tests / Go Tests (push) Has been cancelled
Details
Tests / Python Tests (push) Has been cancelled
Details
Tests / Integration Tests (push) Has been cancelled
Details
Tests / Go Lint (push) Has been cancelled
Details
Tests / Python Lint (push) Has been cancelled
Details
Tests / Security Scan (push) Has been cancelled
Details
Tests / All Checks Passed (push) Has been cancelled
Details
feat: Add Academy, Whistleblower, Incidents SDK modules, pitch-deck, blog and CI/CD config 
- Academy, Whistleblower, Incidents frontend pages with API proxies and types
- Vendor compliance API proxy route
- Go backend handlers and models for all new SDK modules
- Investor pitch-deck app with interactive slides
- Blog section with DSGVO, AI Act, NIS2, glossary articles
- MkDocs documentation site
- CI/CD pipelines (Woodpecker, GitHub Actions), security scanning config
- Planning and implementation documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 21:12:16 +01:00

223 lines
6.8 KiB
YAML
Raw Blame History

name: Security Scanning
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run security scans weekly on Sundays at midnight
- cron: '0 0 * * 0'
jobs:
# ==========================================
# Secret Scanning
# ==========================================
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
- name: GitLeaks Secret Scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
# ==========================================
# Dependency Vulnerability Scanning
# ==========================================
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner (filesystem)
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-fs-results.sarif'
continue-on-error: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-fs-results.sarif'
continue-on-error: true
# ==========================================
# Go Security Scan
# ==========================================
go-security:
name: Go Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
args: '-no-fail -fmt sarif -out gosec-results.sarif ./consent-service/...'
continue-on-error: true
- name: Upload Gosec results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'gosec-results.sarif'
continue-on-error: true
- name: Run govulncheck
working-directory: ./consent-service
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./... || true
# ==========================================
# Python Security Scan
# ==========================================
python-security:
name: Python Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install safety
run: pip install safety bandit
- name: Run Safety (dependency check)
working-directory: ./backend
run: safety check -r requirements.txt --full-report || true
- name: Run Bandit (code security scan)
working-directory: ./backend
run: bandit -r . -f sarif -o bandit-results.sarif --exit-zero
- name: Upload Bandit results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: './backend/bandit-results.sarif'
continue-on-error: true
# ==========================================
# Node.js Security Scan
# ==========================================
node-security:
name: Node.js Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
working-directory: ./website
run: npm ci
- name: Run npm audit
working-directory: ./website
run: npm audit --audit-level=high || true
# ==========================================
# Docker Image Scanning
# ==========================================
docker-security:
name: Docker Image Security
runs-on: ubuntu-latest
needs: [go-security, python-security, node-security]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build consent-service image
run: docker build -t breakpilot/consent-service:scan ./consent-service
- name: Run Trivy on consent-service
uses: aquasecurity/trivy-action@master
with:
image-ref: 'breakpilot/consent-service:scan'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-consent-results.sarif'
continue-on-error: true
- name: Build backend image
run: docker build -t breakpilot/backend:scan ./backend
- name: Run Trivy on backend
uses: aquasecurity/trivy-action@master
with:
image-ref: 'breakpilot/backend:scan'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-backend-results.sarif'
continue-on-error: true
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-consent-results.sarif'
continue-on-error: true
# ==========================================
# Security Summary
# ==========================================
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [secret-scan, dependency-scan, go-security, python-security, node-security, docker-security]
if: always()
steps:
- name: Create security summary
run: |
echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Scan Type | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-----------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| Secret Scanning | ${{ needs.secret-scan.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Dependency Scanning | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Go Security | ${{ needs.go-security.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Python Security | ${{ needs.python-security.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Node.js Security | ${{ needs.node-security.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Docker Security | ${{ needs.docker-security.result }} |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Notes" >> $GITHUB_STEP_SUMMARY
echo "- Results are uploaded to the GitHub Security tab" >> $GITHUB_STEP_SUMMARY
echo "- Weekly scheduled scans run on Sundays" >> $GITHUB_STEP_SUMMARY
Reference in New Issue View Git Blame Copy Permalink