name: CVE Security Check - Trivy + OWASP on: schedule: - cron: '0 2 * * *' push: paths: - 'package.json' - 'pnpm-lock.yaml' - '.gitea/workflows/cve-check.yml' pull_request: paths: - 'package.json' - 'pnpm-lock.yaml' jobs: trivy-scan: name: Trivy Vulnerability Scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Trivy vulnerability scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' severity: 'HIGH,CRITICAL' - name: Display Trivy results run: | echo "## 🔍 Trivy Scan Results" >> $GITHUB_STEP_SUMMARY if [ -f trivy-results.sarif ]; then echo "✅ Scan complété" >> $GITHUB_STEP_SUMMARY fi - name: Upload Trivy SARIF to artifact uses: actions/upload-artifact@v3 if: always() with: name: trivy-results path: trivy-results.sarif owasp-dependency-check: name: OWASP Dependency-Check runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run OWASP Dependency-Check uses: dependency-check/Dependency-Check_Action@main with: project: 'memegoat' path: '.' format: 'JSON' args: > --enableExperimental --suppression ./dependency-check-suppressions.xml - name: Generate OWASP HTML Report run: | if [ -d "reports" ]; then echo "📊 Rapport OWASP généré" fi - name: Upload OWASP reports uses: actions/upload-artifact@v3 if: always() with: name: dependency-check-reports path: reports/ - name: Parse OWASP results run: | if [ -f reports/dependency-check-report.json ]; then echo "## 📋 OWASP Dependency-Check Results" >> $GITHUB_STEP_SUMMARY CRITICAL=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="CRITICAL")] | length' reports/dependency-check-report.json || echo 0) HIGH=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="HIGH")] | length' reports/dependency-check-report.json || echo 0) MEDIUM=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="MEDIUM")] | length' reports/dependency-check-report.json || echo 0) echo "" >> $GITHUB_STEP_SUMMARY echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY echo "| 🔴 CRITICAL | $CRITICAL |" >> $GITHUB_STEP_SUMMARY echo "| 🟠 HIGH | $HIGH |" >> $GITHUB_STEP_SUMMARY echo "| 🟡 MEDIUM | $MEDIUM |" >> $GITHUB_STEP_SUMMARY if [ "$CRITICAL" -gt 0 ]; then echo "" >> $GITHUB_STEP_SUMMARY echo "⚠️ **Vulnérabilités CRITICAL détectées !**" >> $GITHUB_STEP_SUMMARY exit 1 fi fi security-summary: name: Security Summary runs-on: ubuntu-latest needs: [trivy-scan, owasp-dependency-check] if: always() steps: - uses: actions/download-artifact@v3 - name: Generate final report run: | echo "## 🔐 Security Audit Complete" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "✅ Trivy scan - Completed" >> $GITHUB_STEP_SUMMARY echo "✅ OWASP Dependency-Check - Completed" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "📁 [Télécharger les rapports détaillés](artifacts)" >> $GITHUB_STEP_SUMMARY - name: Fail if critical vulnerabilities found if: failure() run: | echo "🚨 Des vulnérabilités CRITICAL ont été détectées" exit 1