diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 2aec219..552f623 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -1,100 +1,41 @@ # ============================================================== -# Jerney - DevSecOps CI/CD Pipeline -# ============================================================== -# Triggers on every push and pull request. -# Stages: Lint → SCA → Build → Image Scan → IaC Scan → Deploy Manifest Update +# Shopstack - DevSecOps CI/CD Pipeline # ============================================================== -name: Jerney DevSecOps Pipeline +name: Shopstack DevSecOps Pipeline on: push: - branches: ["*"] + branches: + - env/prod + paths: + - "cart/**" + - ".github/workflows/cart.yaml" pull_request: - branches: ["*"] + branches: + - env/prod + paths: + - "cart/**" + - ".github/workflows/cart.yaml" # Security: restrict default permissions to read-only permissions: contents: read env: - DOCKER_REGISTRY: ghcr.io - BACKEND_IMAGE: ghcr.io/${{ github.repository }}/jerney-backend - FRONTEND_IMAGE: ghcr.io/${{ github.repository }}/jerney-frontend + PROJECT: "shopstack" + ENV: "staging" jobs: - # ============================================================== - # STAGE 1: Linting - # ============================================================== - lint: - name: "🔍 Lint Code" - runs-on: ubuntu-latest - strategy: - matrix: - component: [backend, frontend] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: "20" - cache: "npm" - cache-dependency-path: "${{ matrix.component }}/package-lock.json" - - - name: Install dependencies - working-directory: ${{ matrix.component }} - run: npm ci - - - name: Run ESLint - working-directory: ${{ matrix.component }} - run: npm run lint - - # ============================================================== - # STAGE 2: Software Composition Analysis (SCA) — Dependency Audit - # ============================================================== - sca: - name: "🛡️ Dependency Audit" - runs-on: ubuntu-latest - needs: lint - strategy: - matrix: - component: [backend, frontend] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: "20" - cache: "npm" - cache-dependency-path: "${{ matrix.component }}/package-lock.json" - - - name: Install dependencies - working-directory: ${{ matrix.component }} - run: npm ci - - # npm audit for known vulnerabilities (fail on high/critical) - - name: npm audit - working-directory: ${{ matrix.component }} - run: npm audit --audit-level=high || true - # `|| true` to not fail on moderate — adjust in prod - - # ============================================================== - # STAGE 3: Build & Push Container Images - # ============================================================== build: name: "🐳 Build ${{ matrix.component }}" runs-on: ubuntu-latest - needs: sca permissions: contents: read packages: write # Needed to push to GHCR strategy: matrix: - component: [backend, frontend] + component: ["cart"] outputs: image_tag: ${{ steps.meta.outputs.version }} steps: @@ -115,7 +56,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/${{ github.repository }}/jerney-${{ matrix.component }} + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} tags: | type=sha,prefix= type=ref,event=branch @@ -135,28 +76,26 @@ jobs: provenance: true sbom: true - # ============================================================== - # STAGE 4: Container Image Scanning (Trivy) - # ============================================================== + image-scan: name: "🔬 Scan ${{ matrix.component }} Image" runs-on: ubuntu-latest needs: build strategy: matrix: - component: [backend, frontend] + component: ["cart"] steps: - name: Checkout code uses: actions/checkout@v4 - name: Build image for scanning run: | - docker build -t jerney-${{ matrix.component }}:scan ./${{ matrix.component }} + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: "jerney-${{ matrix.component }}:scan" + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" format: "table" exit-code: "1" ignore-unfixed: true @@ -164,15 +103,12 @@ jobs: severity: "CRITICAL,HIGH" timeout: "10m" - # ============================================================== - # STAGE 6: Dockerfile Lint (Hadolint) - # ============================================================== dockerfile-lint: name: "📋 Dockerfile Lint" runs-on: ubuntu-latest strategy: matrix: - component: [backend, frontend] + component: ["cart"] steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/catalogue.yaml b/.github/workflows/catalogue.yaml new file mode 100644 index 0000000..f0cf50b --- /dev/null +++ b/.github/workflows/catalogue.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "catalogue/**" + - ".github/workflows/catalogue.yaml" + pull_request: + branches: + - env/prod + paths: + - "catalogue/**" + - ".github/workflows/catalogue.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["catalogue"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["catalogue"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["catalogue"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/dispatch.yaml b/.github/workflows/dispatch.yaml new file mode 100644 index 0000000..e9b1453 --- /dev/null +++ b/.github/workflows/dispatch.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "dispatch/**" + - ".github/workflows/dispatch.yaml" + pull_request: + branches: + - env/prod + paths: + - "dispatch/**" + - ".github/workflows/dispatch.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["dispatch"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["dispatch"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["dispatch"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/mongo.yaml b/.github/workflows/mongo.yaml new file mode 100644 index 0000000..fcb8e00 --- /dev/null +++ b/.github/workflows/mongo.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "mongo/**" + - ".github/workflows/mongo.yaml" + pull_request: + branches: + - env/prod + paths: + - "mongo/**" + - ".github/workflows/mongo.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["mongo"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["mongo"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["mongo"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/mysql.yaml b/.github/workflows/mysql.yaml new file mode 100644 index 0000000..1e24a7e --- /dev/null +++ b/.github/workflows/mysql.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "mysql/**" + - ".github/workflows/mysql.yaml" + pull_request: + branches: + - env/prod + paths: + - "mysql/**" + - ".github/workflows/mysql.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["mysql"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["mysql"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["mysql"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/payment.yaml b/.github/workflows/payment.yaml new file mode 100644 index 0000000..6a89aff --- /dev/null +++ b/.github/workflows/payment.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "payment/**" + - ".github/workflows/payment.yaml" + pull_request: + branches: + - env/prod + paths: + - "payment/**" + - ".github/workflows/payment.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["payment"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["payment"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["payment"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/ratings.yaml b/.github/workflows/ratings.yaml new file mode 100644 index 0000000..ce27f99 --- /dev/null +++ b/.github/workflows/ratings.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "ratings/**" + - ".github/workflows/ratings.yaml" + pull_request: + branches: + - env/prod + paths: + - "ratings/**" + - ".github/workflows/ratings.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["ratings"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["ratings"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["ratings"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/shipping.yaml b/.github/workflows/shipping.yaml new file mode 100644 index 0000000..5c51b2c --- /dev/null +++ b/.github/workflows/shipping.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "shipping/**" + - ".github/workflows/shipping.yaml" + pull_request: + branches: + - env/prod + paths: + - "shipping/**" + - ".github/workflows/shipping.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["shipping"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["shipping"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["shipping"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/user.yaml b/.github/workflows/user.yaml new file mode 100644 index 0000000..9a15e05 --- /dev/null +++ b/.github/workflows/user.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "user/**" + - ".github/workflows/user.yaml" + pull_request: + branches: + - env/prod + paths: + - "user/**" + - ".github/workflows/user.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["user"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["user"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["user"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/web.yaml b/.github/workflows/web.yaml new file mode 100644 index 0000000..1253701 --- /dev/null +++ b/.github/workflows/web.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "web/**" + - ".github/workflows/web.yaml" + pull_request: + branches: + - env/prod + paths: + - "web/**" + - ".github/workflows/web.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["web"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["web"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["web"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/cart/Dockerfile b/cart/Dockerfile index 51cb07a..d48940e 100644 --- a/cart/Dockerfile +++ b/cart/Dockerfile @@ -12,4 +12,4 @@ RUN npm install && npm cache clean --force COPY server.js /opt/server/ -CMD ["node", "server.js"] \ No newline at end of file +CMD ["node", "server.js"]