oabrivard
/
knowfoolery
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2f283469c2'
${ noResults }
knowfoolery/tasks/security-scan.yml

76 lines
3.2 KiB
YAML
Raw Blame History

version: '3'
tasks:
security-scan:
desc: Run full CI quality and security checks
cmds:
- task: prepare-reports
- task: backend-lint
- task: frontend-lint
- task: unit-tests
- task: integration-tests
- task: docker-build-validate
- task: gosec-scan
- task: trivy-fs-scan
- task: trivy-image-scan
prepare-reports:
internal: true
cmds:
- mkdir -p reports/security reports/tests reports/docker
backend-lint:
cmds:
- |
set -eu
for module in \
services/admin-service \
services/game-session-service \
services/gateway-service \
services/leaderboard-service \
services/question-bank-service \
services/user-service \
shared
do
(cd "backend/${module}" && golangci-lint run ./...)
done
frontend-lint:
cmds:
- cd frontend && yarn lint
- cd frontend && yarn format:check
unit-tests:
cmds:
- bash -o pipefail -c 'set -eu; for module in services/admin-service services/game-session-service services/gateway-service services/leaderboard-service services/question-bank-service services/user-service shared; do (cd "backend/${module}" && go test -v -race -cover ./...); done | tee reports/tests/backend-unit.log'
- bash -o pipefail -c 'cd frontend && CI=1 yarn test | tee ../reports/tests/frontend-unit.log'
integration-tests:
cmds:
- bash -o pipefail -c 'set -eu; cd backend; for dir in services/*/tests; do if [ -d "$dir" ]; then go test -v "./$dir/..." | tee "../reports/tests/$(basename "$(dirname "$dir")")-integration.log"; fi; done'
docker-build-validate:
cmds:
- bash -o pipefail -c 'set -eu; for service in gateway game-session question-bank user leaderboard admin; do docker build -f "infrastructure/services/${service}.Dockerfile" -t "knowfoolery/${service}:ci" . | tee "reports/docker/${service}-build.log"; done'
gosec-scan:
cmds:
- bash -o pipefail -c 'set -eu; mkdir -p reports/security; set +e; gosec -fmt sarif -out reports/security/gosec.sarif ./backend/services/admin-service/... ./backend/services/game-session-service/... ./backend/services/gateway-service/... ./backend/services/leaderboard-service/... ./backend/services/question-bank-service/... ./backend/services/user-service/... ./backend/shared/... 2>&1 | tee reports/security/gosec.log; status=${PIPESTATUS[0]}; set -e; if grep -q "Panic when running SSA analyzer" reports/security/gosec.log || grep -q "file requires newer Go version" reports/security/gosec.log; then echo "gosec runtime/toolchain panic detected; treating as non-blocking tool failure."; exit 0; fi; exit "${status}"'
trivy-fs-scan:
cmds:
- trivy fs --format json --output reports/security/trivy-fs.json --severity HIGH,CRITICAL --exit-code 1 .
trivy-image-scan:
cmds:
- |
set -eu
for service in gateway game-session question-bank user leaderboard admin; do
trivy image \
--format json \
--output "reports/security/trivy-image-${service}.json" \
--severity HIGH,CRITICAL \
--exit-code 1 \
"knowfoolery/${service}:ci"
done
Reference in New Issue View Git Blame Copy Permalink