From 8f372eef196807b50cd477e4f86d14d39f3516e0 Mon Sep 17 00:00:00 2001 From: Avnyr Date: Sun, 4 Jan 2026 16:32:58 +0100 Subject: [PATCH] Add automated CVE security checks with Trivy and OWASP --- .gitea/workflows/cve-check.yml | 119 +++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 .gitea/workflows/cve-check.yml diff --git a/.gitea/workflows/cve-check.yml b/.gitea/workflows/cve-check.yml new file mode 100644 index 0000000..afa1d46 --- /dev/null +++ b/.gitea/workflows/cve-check.yml @@ -0,0 +1,119 @@ + +name: CVE Security Check - Trivy + OWASP + +on: + schedule: + - cron: '0 2 * * *' + push: + paths: + - 'package.json' + - 'pnpm-lock.yaml' + - '.gitea/workflows/cve-check.yml' + pull_request: + paths: + - 'package.json' + - 'pnpm-lock.yaml' + +jobs: + trivy-scan: + name: Trivy Vulnerability Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'HIGH,CRITICAL' + + - name: Display Trivy results + run: | + echo "## 🔍 Trivy Scan Results" >> $GITHUB_STEP_SUMMARY + if [ -f trivy-results.sarif ]; then + echo "✅ Scan complété" >> $GITHUB_STEP_SUMMARY + fi + + - name: Upload Trivy SARIF to artifact + uses: actions/upload-artifact@v3 + if: always() + with: + name: trivy-results + path: trivy-results.sarif + + owasp-dependency-check: + name: OWASP Dependency-Check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run OWASP Dependency-Check + uses: dependency-check/Dependency-Check_Action@main + with: + project: 'memegoat' + path: '.' + format: 'JSON' + args: > + --enableExperimental + --enableVulnerability + --suppression ./dependency-check-suppressions.xml + + - name: Generate OWASP HTML Report + run: | + if [ -d "reports" ]; then + echo "📊 Rapport OWASP généré" + fi + + - name: Upload OWASP reports + uses: actions/upload-artifact@v3 + if: always() + with: + name: dependency-check-reports + path: reports/ + + - name: Parse OWASP results + run: | + if [ -f reports/dependency-check-report.json ]; then + echo "## 📋 OWASP Dependency-Check Results" >> $GITHUB_STEP_SUMMARY + CRITICAL=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="CRITICAL")] | length' reports/dependency-check-report.json || echo 0) + HIGH=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="HIGH")] | length' reports/dependency-check-report.json || echo 0) + MEDIUM=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="MEDIUM")] | length' reports/dependency-check-report.json || echo 0) + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY + echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY + echo "| 🔴 CRITICAL | $CRITICAL |" >> $GITHUB_STEP_SUMMARY + echo "| 🟠 HIGH | $HIGH |" >> $GITHUB_STEP_SUMMARY + echo "| 🟡 MEDIUM | $MEDIUM |" >> $GITHUB_STEP_SUMMARY + + if [ "$CRITICAL" -gt 0 ]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "⚠️ **Vulnérabilités CRITICAL détectées !**" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + fi + + security-summary: + name: Security Summary + runs-on: ubuntu-latest + needs: [trivy-scan, owasp-dependency-check] + if: always() + steps: + - uses: actions/download-artifact@v3 + + - name: Generate final report + run: | + echo "## 🔐 Security Audit Complete" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "✅ Trivy scan - Completed" >> $GITHUB_STEP_SUMMARY + echo "✅ OWASP Dependency-Check - Completed" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "📁 [Télécharger les rapports détaillés](artifacts)" >> $GITHUB_STEP_SUMMARY + + - name: Fail if critical vulnerabilities found + if: failure() + run: | + echo "🚨 Des vulnérabilités CRITICAL ont été détectées" + exit 1 \ No newline at end of file