name: Security Scanning on: schedule: - cron: '0 0 * * 0' # Run weekly on Sunday at midnight workflow_dispatch: # Allow manual triggering jobs: dependency-check: name: "Dependency Vulnerability Scan" container: image: "cimg/openjdk:23.0-node" steps: - name: "Checkout" uses: actions/checkout@v4 - name: "Setup Node.js" uses: actions/setup-node@v4 with: node-version: 20 - name: "Install Bun" uses: oven-sh/setup-bun@v2 with: bun-version: latest - name: "Run npm audit (Backend Dependencies)" working-directory: ./backend continue-on-error: true run: | npm init -y npm audit --json > npm-audit-report.json echo "### Backend npm Audit Results" >> $GITHUB_STEP_SUMMARY echo "$(npm audit --omit dev | tail -n 5)" >> $GITHUB_STEP_SUMMARY - name: "Run npm audit (Frontend Dependencies)" working-directory: ./frontend continue-on-error: true run: | bun pm audit --json > bun-audit-report.json echo "### Frontend bun Audit Results" >> $GITHUB_STEP_SUMMARY echo "$(bun pm audit | tail -n 5)" >> $GITHUB_STEP_SUMMARY - name: "Run OWASP Dependency Check" uses: dependency-check/Dependency-Check_Action@main with: project: "Casino" path: "." format: "HTML" out: "reports" args: > --failOnCVSS 7 --enableRetired - name: "Upload Dependency Check Report" uses: actions/upload-artifact@v4 with: name: dependency-check-report path: reports/ retention-days: 30 - name: "Summarize Findings" run: | echo "### OWASP Dependency Check Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "Full report has been uploaded as an artifact." >> $GITHUB_STEP_SUMMARY HIGH_VULNS=$(grep -c "High" reports/dependency-check-report.html || echo "0") CRITICAL_VULNS=$(grep -c "Critical" reports/dependency-check-report.html || echo "0") echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY code-scanning: name: "Static Code Analysis" container: image: "cimg/openjdk:23.0-node" steps: - name: "Checkout" uses: actions/checkout@v4 - name: "Setup Java" uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '23' - name: "Cache Gradle dependencies" uses: https://github.com/actions/cache@v4 with: path: | ~/.gradle/caches ~/.gradle/wrapper backend/.gradle key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }} restore-keys: | gradle-${{ runner.os }}- - name: "Setup Gradle" working-directory: ./backend run: chmod +x ./gradlew - name: "Install SpotBugs" working-directory: ./backend run: | cat <> build.gradle.kts plugins { id("com.github.spotbugs") version "6.0.11" } spotbugs { ignoreFailures.set(true) showProgress.set(true) reportsDir.set(file("\$buildDir/reports/spotbugs")) effort.set(com.github.spotbugs.snom.Effort.MAX) } tasks.spotbugsMain { reports { create("html") { required.set(true) outputLocation.set(file("\$buildDir/reports/spotbugs/main.html")) } } } EOT - name: "Run SpotBugs" working-directory: ./backend run: ./gradlew spotbugsMain - name: "Upload SpotBugs Report" uses: actions/upload-artifact@v4 with: name: spotbugs-report path: backend/build/reports/spotbugs/ retention-days: 30 - name: "Install ESLint" working-directory: ./frontend run: npm install --no-save eslint eslint-plugin-security - name: "Run ESLint Security Plugin" working-directory: ./frontend run: | cat < .eslintrc.security.js module.exports = { "plugins": ["security"], "extends": ["plugin:security/recommended"] } EOT npx eslint -c .eslintrc.security.js 'src/**/*.ts' -f json > eslint-security-report.json || true - name: "Upload ESLint Security Report" uses: actions/upload-artifact@v4 with: name: eslint-security-report path: frontend/eslint-security-report.json retention-days: 30 - name: "Summarize Security Findings" run: | echo "### Static Code Analysis Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "Security reports have been uploaded as artifacts." >> $GITHUB_STEP_SUMMARY SPOTBUGS_ISSUES=$(grep -c "BugInstance" backend/build/reports/spotbugs/main.xml || echo "0") echo "- SpotBugs identified $SPOTBUGS_ISSUES potential issues" >> $GITHUB_STEP_SUMMARY ESLINT_ISSUES=$(grep -c "severity" frontend/eslint-security-report.json || echo "0") echo "- ESLint Security Plugin identified $ESLINT_ISSUES potential issues" >> $GITHUB_STEP_SUMMARY secret-scanning: name: "Secret Scanning" runs-on: ubuntu-latest steps: - name: "Checkout" uses: actions/checkout@v4 with: fetch-depth: 0 - name: "Install Gitleaks" run: | curl -L https://github.com/zricethezav/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz | tar xz chmod +x gitleaks sudo mv gitleaks /usr/local/bin/ - name: "Run Gitleaks" run: | gitleaks detect --source . --report-path gitleaks-report.json --redact --no-git || true - name: "Upload Gitleaks Report" uses: actions/upload-artifact@v4 with: name: gitleaks-report path: gitleaks-report.json retention-days: 30 - name: "Summarize Secret Findings" run: | echo "### Secret Scanning Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY # Check if any secrets were found if [ -s gitleaks-report.json ]; then SECRETS_COUNT=$(jq length gitleaks-report.json) echo "⚠️ **$SECRETS_COUNT potential secrets found in the codebase**" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "Please review the detailed report in the artifacts." >> $GITHUB_STEP_SUMMARY else echo "✅ No leaked secrets detected in the codebase" >> $GITHUB_STEP_SUMMARY fi security-report: name: "Security Report" needs: [dependency-check, code-scanning, secret-scanning] if: always() steps: - name: "Summarize Security Scan" run: | echo "# 🔒 Security Scan Complete" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "## Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY # Check each job status and create summary DEP_CHECK="${{ needs.dependency-check.result }}" CODE_SCAN="${{ needs.code-scanning.result }}" SECRET_SCAN="${{ needs.secret-scanning.result }}" echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY if [ "$DEP_CHECK" == "success" ]; then echo "| Dependency Check | ✅ Complete |" >> $GITHUB_STEP_SUMMARY else echo "| Dependency Check | ⚠️ Potential issues found |" >> $GITHUB_STEP_SUMMARY fi if [ "$CODE_SCAN" == "success" ]; then echo "| Static Code Analysis | ✅ Complete |" >> $GITHUB_STEP_SUMMARY else echo "| Static Code Analysis | ⚠️ Potential issues found |" >> $GITHUB_STEP_SUMMARY fi if [ "$SECRET_SCAN" == "success" ]; then echo "| Secret Scanning | ✅ Complete |" >> $GITHUB_STEP_SUMMARY else echo "| Secret Scanning | ⚠️ Potential issues found |" >> $GITHUB_STEP_SUMMARY fi echo "" >> $GITHUB_STEP_SUMMARY echo "All reports have been uploaded as artifacts. Please review them for detailed information." >> $GITHUB_STEP_SUMMARY