From 7aa92631cf001fadb16ccfc7175c558bdae313ae Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 12:41:12 -0600 Subject: [PATCH 1/8] [SEC] Add sast to find vulnerabiolities --- .github/workflows/sast-code.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/sast-code.yml diff --git a/.github/workflows/sast-code.yml b/.github/workflows/sast-code.yml new file mode 100644 index 000000000..98c42054e --- /dev/null +++ b/.github/workflows/sast-code.yml @@ -0,0 +1,33 @@ +name: SAST Security Scan + +on: + push: + branches: + - security + pull_request: + branches: + - security + +jobs: + sast: + name: Semgrep SAST Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Semgrep + uses: returntocorp/semgrep-action@v2 + with: + config: > + p/java + p/typescript + p/javascript.react + p/react-native + sarif_output: semgrep.sarif + + - name: Upload results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: semgrep.sarif From 47d38fa3f02c91655bdc07ed9f7cfb36d2c14ecb Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 12:44:16 -0600 Subject: [PATCH 2/8] [SEC] Fix Semgrep version --- .github/workflows/sast-code.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sast-code.yml b/.github/workflows/sast-code.yml index 98c42054e..adaaad00c 100644 --- a/.github/workflows/sast-code.yml +++ b/.github/workflows/sast-code.yml @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@v4 - name: Run Semgrep - uses: returntocorp/semgrep-action@v2 + uses: returntocorp/semgrep-action@v1 with: config: > p/java From 93d241718b038b9ceae03320462aa22c4a37b759 Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 12:49:36 -0600 Subject: [PATCH 3/8] [SEC] Create new flow to each lenguage --- .github/workflows/sast-java.yml | 36 +++++++++++++++++++++++++++++++ .github/workflows/sast-web.yml | 38 +++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 .github/workflows/sast-java.yml create mode 100644 .github/workflows/sast-web.yml diff --git a/.github/workflows/sast-java.yml b/.github/workflows/sast-java.yml new file mode 100644 index 000000000..e7a20af48 --- /dev/null +++ b/.github/workflows/sast-java.yml @@ -0,0 +1,36 @@ +name: Java SAST Scan + +on: + push: + branches: + - security + pull_request: + branches: + - security + +jobs: + java-sast: + name: SpotBugs + FindSecBugs + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up JDK + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'temurin' + + - name: Build project with Maven + run: mvn clean install -DskipTests + + - name: Run SpotBugs with FindSecBugs + run: mvn com.github.spotbugs:spotbugs-maven-plugin:4.7.3.0:spotbugs + + - name: Upload SpotBugs Report + uses: actions/upload-artifact@v4 + with: + name: spotbugs-report + path: target/spotbugsXml.xml diff --git a/.github/workflows/sast-web.yml b/.github/workflows/sast-web.yml new file mode 100644 index 000000000..d4e5abc76 --- /dev/null +++ b/.github/workflows/sast-web.yml @@ -0,0 +1,38 @@ +name: Web SAST Scan + +on: + push: + branches: + - security + pull_request: + branches: + - security + +jobs: + web-sast: + name: ESLint Security Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Install dependencies + run: npm ci + + - name: Run ESLint + run: npx eslint . --ext .ts,.tsx --max-warnings=0 || true + + - name: Upload ESLint results + run: npx eslint . --ext .ts,.tsx -f json -o eslint-report.json || true + + - name: Upload report + uses: actions/upload-artifact@v4 + with: + name: eslint-report + path: eslint-report.json From ad41f23e4a0b4354623f5cbb7719da9681f33454 Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 12:53:47 -0600 Subject: [PATCH 4/8] [SEC] Fix FrontEnd directory scan --- .github/workflows/sast-web.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sast-web.yml b/.github/workflows/sast-web.yml index d4e5abc76..8981cc821 100644 --- a/.github/workflows/sast-web.yml +++ b/.github/workflows/sast-web.yml @@ -10,7 +10,7 @@ on: jobs: web-sast: - name: ESLint Security Scan + name: ESLint Security Scan (frontend/) runs-on: ubuntu-latest steps: @@ -22,17 +22,20 @@ jobs: with: node-version: '20' - - name: Install dependencies + - name: Navigate to frontend/ and install dependencies + working-directory: frontend run: npm ci - name: Run ESLint + working-directory: frontend run: npx eslint . --ext .ts,.tsx --max-warnings=0 || true - - name: Upload ESLint results + - name: Generate ESLint report + working-directory: frontend run: npx eslint . --ext .ts,.tsx -f json -o eslint-report.json || true - - name: Upload report + - name: Upload ESLint report uses: actions/upload-artifact@v4 with: name: eslint-report - path: eslint-report.json + path: frontend/eslint-report.json From be4e133e61bff5838af03a07851f251e92075a59 Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 13:06:47 -0600 Subject: [PATCH 5/8] [SEC] Fix FrontEnd directory scan --- .github/workflows/sast-web.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sast-web.yml b/.github/workflows/sast-web.yml index 8981cc821..cc6ec9102 100644 --- a/.github/workflows/sast-web.yml +++ b/.github/workflows/sast-web.yml @@ -28,11 +28,19 @@ jobs: - name: Run ESLint working-directory: frontend - run: npx eslint . --ext .ts,.tsx --max-warnings=0 || true + run: | + npx eslint . \ + --ext .ts,.tsx \ + --ignore-pattern commitlint.config.ts \ + --max-warnings=0 || true - - name: Generate ESLint report + - name: Generate ESLint JSON report working-directory: frontend - run: npx eslint . --ext .ts,.tsx -f json -o eslint-report.json || true + run: | + npx eslint . \ + --ext .ts,.tsx \ + --ignore-pattern commitlint.config.ts \ + -f json -o eslint-report.json || true - name: Upload ESLint report uses: actions/upload-artifact@v4 From 9bfd41275fb5212f60e6c49d50a7190c828b2d22 Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 13:12:12 -0600 Subject: [PATCH 6/8] [SEC] ADD dependency scan --- .github/workflows/sast-web.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sast-web.yml b/.github/workflows/sast-web.yml index cc6ec9102..ef8e0484e 100644 --- a/.github/workflows/sast-web.yml +++ b/.github/workflows/sast-web.yml @@ -10,7 +10,7 @@ on: jobs: web-sast: - name: ESLint Security Scan (frontend/) + name: ESLint + npm audit Security Scan (frontend/) runs-on: ubuntu-latest steps: @@ -26,6 +26,9 @@ jobs: working-directory: frontend run: npm ci + # -------------------------- + # ESLint Scan + # -------------------------- - name: Run ESLint working-directory: frontend run: | @@ -47,3 +50,17 @@ jobs: with: name: eslint-report path: frontend/eslint-report.json + + # -------------------------- + # npm audit + # -------------------------- + - name: Run npm audit and generate JSON report + working-directory: frontend + run: | + npm audit --json > npm-audit-report.json || true + + - name: Upload npm audit report + uses: actions/upload-artifact@v4 + with: + name: npm-audit-report + path: frontend/npm-audit-report.json From 81e9202f3c3ecc5cba173624bdb9e916b1fdf713 Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 13:32:27 -0600 Subject: [PATCH 7/8] [SEC] Fix Flow Java Scan Code --- .github/workflows/sast-java.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sast-java.yml b/.github/workflows/sast-java.yml index e7a20af48..f3efaaf2d 100644 --- a/.github/workflows/sast-java.yml +++ b/.github/workflows/sast-java.yml @@ -10,7 +10,7 @@ on: jobs: java-sast: - name: SpotBugs + FindSecBugs + name: SpotBugs + FindSecBugs (api/) runs-on: ubuntu-latest steps: @@ -23,14 +23,16 @@ jobs: java-version: '17' distribution: 'temurin' - - name: Build project with Maven + - name: Build project with Maven (skip tests) + working-directory: api run: mvn clean install -DskipTests - name: Run SpotBugs with FindSecBugs + working-directory: api run: mvn com.github.spotbugs:spotbugs-maven-plugin:4.7.3.0:spotbugs - - name: Upload SpotBugs Report + - name: Upload SpotBugs report uses: actions/upload-artifact@v4 with: name: spotbugs-report - path: target/spotbugsXml.xml + path: api/target/spotbugsXml.xml From 0f1d96c4e7c8bd8da1f6d252f3f885afab6dfe62 Mon Sep 17 00:00:00 2001 From: Moises Tapia Date: Wed, 18 Jun 2025 13:42:02 -0600 Subject: [PATCH 8/8] [SEC] Delete old files --- .github/workflows/sast-code.yml | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 .github/workflows/sast-code.yml diff --git a/.github/workflows/sast-code.yml b/.github/workflows/sast-code.yml deleted file mode 100644 index adaaad00c..000000000 --- a/.github/workflows/sast-code.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: SAST Security Scan - -on: - push: - branches: - - security - pull_request: - branches: - - security - -jobs: - sast: - name: Semgrep SAST Scan - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Semgrep - uses: returntocorp/semgrep-action@v1 - with: - config: > - p/java - p/typescript - p/javascript.react - p/react-native - sarif_output: semgrep.sarif - - - name: Upload results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: semgrep.sarif