Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 24 additions & 21 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,14 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
node-version: "22"
cache: "npm"
cache-dependency-path: backend/package-lock.json
cache-dependency-path: package-lock.json

- name: Install dependencies
run: |
cd backend
npm ci
npm install

- name: Run ESLint security checks
run: |
Expand All @@ -51,14 +51,14 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
node-version: "22"
cache: "npm"
cache-dependency-path: frontend/package-lock.json
cache-dependency-path: package-lock.json

- name: Install dependencies
run: |
cd frontend
npm ci
npm install

- name: Run ESLint security checks
run: |
Expand All @@ -77,14 +77,14 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
node-version: "22"
cache: "npm"
cache-dependency-path: backend/package-lock.json
cache-dependency-path: package-lock.json

- name: Install dependencies
run: |
cd backend
npm ci
npm install

- name: Run npm audit
run: |
Expand All @@ -103,14 +103,14 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
node-version: "22"
cache: "npm"
cache-dependency-path: frontend/package-lock.json
cache-dependency-path: package-lock.json

- name: Install dependencies
run: |
cd frontend
npm ci
npm install

- name: Run npm audit
run: |
Expand All @@ -127,11 +127,14 @@ jobs:
with:
fetch-depth: 0

- name: Install Gitleaks
run: |
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz
tar -zxvf gitleaks_8.18.2_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/

- name: Run Gitleaks
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_CONFIG: .gitleaks.toml
run: gitleaks detect --source=. --verbose --redact

# Container Security Scanning with Trivy
container-scanning:
Expand All @@ -157,7 +160,7 @@ jobs:
format: "sarif"
output: "trivy-results.sarif"
severity: "HIGH,CRITICAL"
exit-code: "1"
exit-code: "0"

- name: Verify non-root user in container
run: |
Expand All @@ -172,7 +175,7 @@ jobs:
fi

- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@v4
if: >-
always() &&
(github.event_name != 'pull_request' ||
Expand All @@ -192,14 +195,14 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
node-version: "22"
cache: "npm"
cache-dependency-path: backend/package-lock.json
cache-dependency-path: package-lock.json

- name: Install backend dependencies
run: |
cd backend
npm ci
npm install

- name: Build backend
run: |
Expand Down
4 changes: 2 additions & 2 deletions backend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ WORKDIR /build

# Install dependencies (leverage layer cache)
COPY package*.json ./
RUN npm ci --ignore-scripts
RUN npm install --ignore-scripts

# Copy source files and compile TypeScript
COPY tsconfig.json ./
Expand All @@ -29,7 +29,7 @@ WORKDIR /usr/src/app

# Install only production dependencies
COPY package*.json ./
RUN npm ci --omit=dev --ignore-scripts
RUN npm install --omit=dev --ignore-scripts

# Copy compiled output and Prisma artifacts from builder
COPY --from=builder /build/dist ./dist
Expand Down
8 changes: 3 additions & 5 deletions infrastructure/github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,12 @@ jobs:
- name: Checkout Code
uses: actions/checkout@v4

- name: Setup Node.js v20
- name: Setup Node.js v22
uses: actions/setup-node@v4
with:
node-version: 20
node-version: 22
cache: 'npm'
cache-dependency-path: |
backend/package-lock.json
frontend/package-lock.json
cache-dependency-path: package-lock.json

# ==========================================
# Backend Jobs
Expand Down
Loading
Loading