diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 52a42d5..d41bb63 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -65,14 +65,14 @@ jobs: file: ./Dockerfile load: true platforms: linux/amd64 - tags: kaiohz/unispace:unispace-landing-scan + tags: kaiohz/pickpro:unispace-landing-scan cache-from: type=gha cache-to: type=gha,mode=max - name: Trivy Image Scan (report) uses: aquasecurity/trivy-action@master with: - image-ref: "kaiohz/unispace:unispace-landing-scan" + image-ref: "kaiohz/pickpro:unispace-landing-scan" format: "table" severity: "CRITICAL,HIGH,MEDIUM" exit-code: "0" @@ -81,7 +81,7 @@ jobs: - name: Trivy Image Scan (CRITICAL gate) uses: aquasecurity/trivy-action@master with: - image-ref: "kaiohz/unispace:unispace-landing-scan" + image-ref: "kaiohz/pickpro:unispace-landing-scan" format: "table" severity: "CRITICAL" exit-code: "1" @@ -95,8 +95,8 @@ jobs: push: true platforms: linux/amd64,linux/arm64 tags: | - kaiohz/unispace:unispace-landing-${{ steps.sha.outputs.result }} - kaiohz/unispace:unispace-landing-latest + kaiohz/pickpro:unispace-landing-${{ steps.sha.outputs.result }} + kaiohz/pickpro:unispace-landing-latest cache-from: type=gha cache-to: type=gha,mode=max @@ -108,7 +108,7 @@ jobs: run: | DEPLOYMENT_FILE="flux-repo/dev/unispace/unispace-landing/deployment.yaml" if [ -f "$DEPLOYMENT_FILE" ]; then - sed -i 's|image: kaiohz/unispace:unispace-landing-.*|image: kaiohz/unispace:unispace-landing-${{ steps.sha.outputs.result }}|g' "$DEPLOYMENT_FILE" + sed -i 's|image: kaiohz/pickpro:unispace-landing-.*|image: kaiohz/pickpro:unispace-landing-${{ steps.sha.outputs.result }}|g' "$DEPLOYMENT_FILE" else echo "Error: Deployment file not found at $DEPLOYMENT_FILE" exit 1 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..c13f782 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,32 @@ +name: CI + +on: + pull_request: + branches: [main] + +jobs: + trivy: + name: Trivy FS Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Trivy FS Scan (report) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + trivy-config: trivy.yaml + + - name: Trivy FS Scan (CRITICAL gate) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL' + exit-code: '1' + trivy-config: trivy.yaml diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..f2a600c --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# .trivyignore - Known false positives and accepted risks +# Format: CVE-YYYY-NNNNN +# Add a comment above each entry explaining why it is ignored. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..100a03e --- /dev/null +++ b/Makefile @@ -0,0 +1,28 @@ +PROJECT_NAME := unispace-landing +IMAGE_TAG := $(PROJECT_NAME):local-scan + +.PHONY: trivy-fs trivy-image trivy-fs-critical trivy-image-critical trivy-all trivy-help + +trivy-fs: + trivy fs --severity CRITICAL,HIGH,MEDIUM --exit-code 0 --format table . + +trivy-image: + docker build -t $(IMAGE_TAG) -f Dockerfile . + trivy image --severity CRITICAL,HIGH,MEDIUM --exit-code 0 --format table $(IMAGE_TAG) + +trivy-fs-critical: + trivy fs --severity CRITICAL --exit-code 1 --format table . + +trivy-image-critical: + docker build -t $(IMAGE_TAG) -f Dockerfile . + trivy image --severity CRITICAL --exit-code 1 --format table $(IMAGE_TAG) + +trivy-all: trivy-fs trivy-image + +trivy-help: + @echo "Available Trivy scanning targets:" + @echo " make trivy-fs - Scan filesystem dependencies (report only)" + @echo " make trivy-image - Build and scan Docker image (report only)" + @echo " make trivy-fs-critical - Scan filesystem - fail on CRITICAL" + @echo " make trivy-image-critical - Build and scan image - fail on CRITICAL" + @echo " make trivy-all - Run both fs and image scans" diff --git a/package.json b/package.json index ceb2cf9..d42ffa9 100644 --- a/package.json +++ b/package.json @@ -17,7 +17,7 @@ "@astrojs/mdx": "4.3.12", "@astrojs/netlify": "6.6.3", "@astrojs/react": "4.4.2", - "@astrojs/rss": "4.0.14", + "@astrojs/rss": "4.0.17", "@astrojs/sitemap": "3.6.0", "@fontsource-variable/inter": "5.2.8", "@keystatic/astro": "5.0.6", @@ -35,7 +35,7 @@ "motion-on-scroll": "^1.0.0", "react": "19.2.0", "react-dom": "19.2.0", - "swiper": "12.0.3", + "swiper": "^12.1.2", "tailwind-merge": "3.4.0", "tailwind-variants": "3.2.2", "tailwindcss": "4.1.17", @@ -43,7 +43,7 @@ }, "devDependencies": { "@eslint/js": "^9.36.0", - "@playform/compress": "0.2.0", + "@playform/compress": "^0.2.0", "eslint": "^9.36.0", "eslint-plugin-astro": "^1.3.1", "eslint-plugin-jsx-a11y": "^6.10.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index ee31fc9..7ad9bdb 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -18,8 +18,8 @@ importers: specifier: 4.4.2 version: 4.4.2(@types/node@24.10.1)(@types/react-dom@19.2.3(@types/react@19.2.7))(@types/react@19.2.7)(jiti@2.6.1)(lightningcss@1.30.2)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)(terser@5.42.0)(yaml@2.8.2) '@astrojs/rss': - specifier: 4.0.14 - version: 4.0.14 + specifier: 4.0.17 + version: 4.0.17 '@astrojs/sitemap': specifier: 3.6.0 version: 3.6.0 @@ -72,8 +72,8 @@ importers: specifier: 19.2.0 version: 19.2.0(react@19.2.0) swiper: - specifier: 12.0.3 - version: 12.0.3 + specifier: ^12.1.2 + version: 12.1.2 tailwind-merge: specifier: 3.4.0 version: 3.4.0 @@ -91,7 +91,7 @@ importers: specifier: ^9.36.0 version: 9.39.1 '@playform/compress': - specifier: 0.2.0 + specifier: ^0.2.0 version: 0.2.0(@netlify/blobs@10.4.1)(@types/node@24.10.1)(idb-keyval@6.2.2)(jiti@2.6.1)(rollup@4.53.3)(typescript@5.9.3)(yaml@2.8.2) eslint: specifier: ^9.36.0 @@ -188,8 +188,8 @@ packages: react: ^17.0.2 || ^18.0.0 || ^19.0.0 react-dom: ^17.0.2 || ^18.0.0 || ^19.0.0 - '@astrojs/rss@4.0.14': - resolution: {integrity: sha512-KCe1imDcADKOOuO/wtKOMDO/umsBD6DWF+94r5auna1jKl5fmlK9vzf+sjA3EyveXA/FoB3khtQ/u/tQgETmTw==} + '@astrojs/rss@4.0.17': + resolution: {integrity: sha512-eV+wdMbeVKC9+sPaV0LN8JL1LGo9YAh3GKl4Ou4nzMNLmXM/aswYpSGxVEAuHilgBZ6/++/Pv08ICmuOqX107w==} '@astrojs/sitemap@3.6.0': resolution: {integrity: sha512-4aHkvcOZBWJigRmMIAJwRQXBS+ayoP5z40OklTXYXhUDhwusz+DyDl+nSshY6y9DvkVEavwNcFO8FD81iGhXjg==} @@ -3521,8 +3521,11 @@ packages: fast-uri@3.1.0: resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==} - fast-xml-parser@5.3.2: - resolution: {integrity: sha512-n8v8b6p4Z1sMgqRmqLJm3awW4NX7NkaKPfb3uJIBTSH7Pdvufi3PQ3/lJLQrvxcMYl7JI2jnDO90siPEpD8JBA==} + fast-xml-builder@1.1.2: + resolution: {integrity: sha512-NJAmiuVaJEjVa7TjLZKlYd7RqmzOC91EtPFXHvlTcqBVo50Qh7XV5IwvXi1c7NRz2Q/majGX9YLcwJtWgHjtkA==} + + fast-xml-parser@5.4.1: + resolution: {integrity: sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==} hasBin: true fastq@1.19.1: @@ -4996,6 +4999,10 @@ packages: resolution: {integrity: sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==} engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} + path-expression-matcher@1.1.3: + resolution: {integrity: sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==} + engines: {node: '>=14.0.0'} + path-key@3.1.1: resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==} engines: {node: '>=8'} @@ -5642,8 +5649,8 @@ packages: resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==} engines: {node: '>=8'} - strnum@2.1.1: - resolution: {integrity: sha512-7ZvoFTiCnGxBtDqJ//Cu6fWtZtc7Y3x+QOirG15wztbdngGSkht27o2pyGWrVy0b4WAy3jbKmnoK6g5VlVNUUw==} + strnum@2.2.0: + resolution: {integrity: sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==} style-to-js@1.1.21: resolution: {integrity: sha512-RjQetxJrrUJLQPHbLku6U/ocGtzyjbJMP9lCNK7Ag0CNh690nSH8woqWH9u16nMjYBAok+i7JO1NP2pOy8IsPQ==} @@ -5679,8 +5686,8 @@ packages: engines: {node: '>=16'} hasBin: true - swiper@12.0.3: - resolution: {integrity: sha512-BHd6U1VPEIksrXlyXjMmRWO0onmdNPaTAFduzqR3pgjvi7KfmUCAm/0cj49u2D7B0zNjMw02TSeXfinC1hDCXg==} + swiper@12.1.2: + resolution: {integrity: sha512-4gILrI3vXZqoZh71I1PALqukCFgk+gpOwe1tOvz5uE9kHtl2gTDzmYflYCwWvR4LOvCrJi6UEEU+gnuW5BtkgQ==} engines: {node: '>= 4.7.0'} synckit@0.11.11: @@ -5720,6 +5727,7 @@ packages: tar@7.5.2: resolution: {integrity: sha512-7NyxrTE4Anh8km8iEy7o0QYPs+0JKBTj5ZaqHg6B39erLg0qYXN3BijtShwbsNSvQ+LN75+KV+C4QR/f6Gwnpg==} engines: {node: '>=18'} + deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me terser@5.42.0: resolution: {integrity: sha512-UYCvU9YQW2f/Vwl+P0GfhxJxbUGLwd+5QrrGgLajzWAtC/23AX0vcise32kkP7Eu0Wu9VlzzHAXkLObgjQfFlQ==} @@ -6201,6 +6209,7 @@ packages: whatwg-encoding@3.1.1: resolution: {integrity: sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==} engines: {node: '>=18'} + deprecated: Use @exodus/bytes instead for a more spec-conformant and faster implementation whatwg-mimetype@4.0.0: resolution: {integrity: sha512-QaKxh0eNIi2mE9p2vEdzfagOKHCcj1pJ56EEHGQOVxp8r9/iszLUUV7v89x9O1p/T+NlTM5W7jW6+cz4Fq1YVg==} @@ -6379,6 +6388,9 @@ packages: zod@3.25.76: resolution: {integrity: sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==} + zod@4.3.6: + resolution: {integrity: sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==} + zwitch@2.0.4: resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==} @@ -6559,10 +6571,11 @@ snapshots: - tsx - yaml - '@astrojs/rss@4.0.14': + '@astrojs/rss@4.0.17': dependencies: - fast-xml-parser: 5.3.2 + fast-xml-parser: 5.4.1 piccolore: 0.1.3 + zod: 4.3.6 '@astrojs/sitemap@3.6.0': dependencies: @@ -11034,9 +11047,14 @@ snapshots: fast-uri@3.1.0: {} - fast-xml-parser@5.3.2: + fast-xml-builder@1.1.2: dependencies: - strnum: 2.1.1 + path-expression-matcher: 1.1.3 + + fast-xml-parser@5.4.1: + dependencies: + fast-xml-builder: 1.1.2 + strnum: 2.2.0 fastq@1.19.1: dependencies: @@ -12830,6 +12848,8 @@ snapshots: path-exists@5.0.0: {} + path-expression-matcher@1.1.3: {} + path-key@3.1.1: {} path-key@4.0.0: {} @@ -13654,7 +13674,7 @@ snapshots: strip-json-comments@3.1.1: {} - strnum@2.1.1: {} + strnum@2.2.0: {} style-to-js@1.1.21: dependencies: @@ -13698,7 +13718,7 @@ snapshots: picocolors: 1.1.1 sax: 1.4.3 - swiper@12.0.3: {} + swiper@12.1.2: {} synckit@0.11.11: dependencies: @@ -14384,4 +14404,6 @@ snapshots: zod@3.25.76: {} + zod@4.3.6: {} + zwitch@2.0.4: {}