diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml new file mode 100644 index 00000000..dfc8d6d5 --- /dev/null +++ b/.github/workflows/sonar.yml @@ -0,0 +1,49 @@ +name: Sonar Scan + +on: + push: + branches: + - main + - develop + - master + - 'release/**' + pull_request: + +permissions: + contents: read + +jobs: + sonar: + name: Sonar Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Install dependencies + run: npm ci + + - name: Run tests with coverage + run: npm run test:coverage + + - name: Sonar Scan + uses: SonarSource/sonarqube-scan-action@v6 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} + + # - name: Sonar Quality Gate + # uses: SonarSource/sonarqube-quality-gate-action@v1.1.0 + # timeout-minutes: 10 + # env: + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..211fdec7 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,32 @@ +name: Security - Trivy + +on: + push: + branches: [main, develop] + pull_request: + +permissions: + contents: read + security-events: write + +jobs: + trivy: + name: Trivy Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run Trivy Scan + uses: aquasecurity/trivy-action@v0.35.0 + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + severity: CRITICAL,HIGH + + - name: Upload results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index e79ee693..00000000 --- a/Jenkinsfile +++ /dev/null @@ -1,45 +0,0 @@ -pipeline { - agent any - - stages { - stage('Checkout Code') { - steps { - checkout scm - } - } - - stage('Install Dependencies') { - steps { - sh 'npm ci' - } - } - - stage('Run Tests with Coverage') { - steps { - sh 'npm run test:coverage' - } - } - - stage('SonarQube Analysis') { - steps { - script { - // Get path to the installed Sonar Scanner tool - def scannerHome = tool 'SonarScanner' - - withSonarQubeEnv('aptl-sonar') { - // Run the scanner binary - sh "${scannerHome}/bin/sonar-scanner" - } - } - } - } - - stage('Quality Gate') { - steps { - timeout(time: 10, unit: 'MINUTES') { - waitForQualityGate abortPipeline: true - } - } - } - } -} diff --git a/sonar-project.properties b/sonar-project.properties index 70086a3f..edca896b 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,5 +1,5 @@ -sonar.projectKey=aptlogica_base-ui_6f26c5b2-1866-41a0-b97a-867b45ceecdb - +sonar.projectKey=aptlogica_base-ui +sonar.organization=aptlogica # Exclude test/support files, SDK, configs, and non-app sources from analysis sonar.exclusions=**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx,**/__tests__/**,**/__test__/**,src/test/**,sdk/**,webpack.config.js,Dockerfile,**/*.stories.*,playwright.config.*,examples/**,src/types/**,src/**/types/**