From 7c8ba145f8a225285920e54a7da44a4bed5a0dcf Mon Sep 17 00:00:00 2001 From: Adish M Date: Tue, 1 Apr 2025 11:03:37 +0530 Subject: [PATCH] Adding vulnerability-ci.yml to main --- .github/workflows/vulnerability-ci.yml | 650 +++++++++++++++++++++++++ 1 file changed, 650 insertions(+) create mode 100644 .github/workflows/vulnerability-ci.yml diff --git a/.github/workflows/vulnerability-ci.yml b/.github/workflows/vulnerability-ci.yml new file mode 100644 index 0000000000..536a66c609 --- /dev/null +++ b/.github/workflows/vulnerability-ci.yml @@ -0,0 +1,650 @@ +name: Vulnerability CI + +# Controls when the workflow will run +on: + pull_request: + types: [labeled, unlabeled, closed] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + # Schedule the workflow to run every two weeks + schedule: + - cron: '30 5 */14 * *' + +jobs: + PeriodicVulnerability-CheckOn-frontend-code: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: refs/heads/main + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix frontend install + + - name: Running security audit + run: npm --prefix server audit --json > Periodic-frontend-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: Periodic-frontend-audit-report + path: Periodic-frontend-audit.json + + - name: Send Slack Notification + run: | + message="Periodic Security Audit Report Of Frontend directory\n + Node module vulnerabilities summary:\n + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }}\n + 🟠 High: ${{ steps.parse-audit.outputs.high }}\n + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}\n + \nDownload Audit Report: http://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + + curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$message\"}" ${{ secrets.SLACK_WEBHOOK_URL_VUR }} + + + PeriodicVulnerability-CheckOn-server-code: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: refs/heads/main + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix server install + + - name: Running security audit + run: npm --prefix server audit --json > Periodic-server-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: Periodic-server-audit-report + path: Periodic-server-audit.json + + - name: Send Slack Notification + run: | + message="### Periodic Security Audit Report Of Server directory\n + Node module vulnerabilities summary:\n + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }}\n + 🟠 High: ${{ steps.parse-audit.outputs.high }}\n + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}\n + \nDownload Audit Report: http://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + + curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$message\"}" ${{ secrets.SLACK_WEBHOOK_URL_VUR }} + + + PeriodicVulnerability-CheckOn-marketplace-code: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: refs/heads/main + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix marketplace install + + - name: Running security audit + run: npm --prefix marketplace audit --json > Periodic-marketplace-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-marketplace-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: Periodic-marketplace-audit-report + path: Periodic-marketplace-audit.json + + - name: Send Slack Notification + run: | + message="Periodic Security Audit Report Of Marketplace directory\n + Node module vulnerabilities summary:\n + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }}\n + 🟠 High: ${{ steps.parse-audit.outputs.high }}\n + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}\n + \nDownload Audit Report: http://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + + curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$message\"}" ${{ secrets.SLACK_WEBHOOK_URL_VUR }} + + + PeriodicVulnerability-CheckOn-plugins-code: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: refs/heads/main + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix plugins install + + - name: Running security audit + run: npm --prefix plugins audit --json > Periodic-plugins-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: Periodic-plugins-audit-report + path: Periodic-plugins-audit.json + + - name: Send Slack Notification + run: | + message="Periodic Security Audit Report Of Plugins directory\n + Node module vulnerabilities summary:\n + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }}\n + 🟠 High: ${{ steps.parse-audit.outputs.high }}\n + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}\n + \nDownload Audit Report: http://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + + curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$message\"}" ${{ secrets.SLACK_WEBHOOK_URL_VUR }} + + + PeriodicVulnerability-CheckOn-cypress-code: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: refs/heads/main + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix cypress-tests install + + - name: Running security audit + run: npm --prefix cypress-tests audit --json > Periodic-cypress-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-cypress-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: Periodic-cypress-audit-report + path: Periodic-cypress-audit.json + + - name: Send Slack Notification + run: | + message="Periodic Security Audit Report Of Cypress directory\n + Node module vulnerabilities summary:\n + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }}\n + 🟠 High: ${{ steps.parse-audit.outputs.high }}\n + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}\n + \nDownload Audit Report: http://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + + curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$message\"}" ${{ secrets.SLACK_WEBHOOK_URL_VUR }} + + + PeriodicVulnerability-CheckOn-root-code: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: refs/heads/main + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm install + + - name: Running security audit + run: npm audit --json > Periodic-root-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: Periodic-root-audit-report + path: Periodic-root-audit.json + + - name: Send Slack Notification + run: | + message="Periodic Security Audit Report Of Root directory\n + Node module vulnerabilities summary:\n + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }}\n + 🟠 High: ${{ steps.parse-audit.outputs.high }}\n + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}\n + \nDownload Audit Report: http://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + + curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$message\"}" ${{ secrets.SLACK_WEBHOOK_URL_VUR }} + + + ManualVulnerability-CheckOn-frontend-code: + if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'frontend-vulnerability' || github.event.label.name == 'check-vulnerability') }} + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix frontend install + + - name: Running security audit + run: npm --prefix frontend audit --json > frontend-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' frontend-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: frontend-audit-report + path: frontend-audit.json + + - name: Create or update PR comment + uses: peter-evans/create-or-update-comment@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ### Security Audit Report Of Frontend directory + **Node module vulnerabilities summary:** + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} + 🟠 High: ${{ steps.parse-audit.outputs.high }} + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} + + Please find the JSON file in the [summary page](${{ github.frontend_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). + + + ManualVulnerability-CheckOn-server-code: + if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'server-vulnerability' || github.event.label.name == 'check-vulnerability') }} + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix server install + + - name: Running security audit + run: npm --prefix server audit --json > server-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' server-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: server-audit-report + path: server-audit.json + + - name: Create or update PR comment + uses: peter-evans/create-or-update-comment@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ### Security Audit Report Of Server directory + **Node module vulnerabilities summary:** + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} + 🟠 High: ${{ steps.parse-audit.outputs.high }} + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} + + Please find the JSON file in the [summary page](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). + + + ManualVulnerability-CheckOn-marketplace-code: + if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'marketplace-vulnerability' || github.event.label.name == 'check-vulnerability') }} + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix marketplace install + + - name: Running security audit + run: npm --prefix marketplace audit --json > marketplace-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' marketplace-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: marketplace-audit-report + path: marketplace-audit.json + + - name: Create or update PR comment + uses: peter-evans/create-or-update-comment@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ### Security Audit Report Of Marketplace directory + **Node module vulnerabilities summary:** + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} + 🟠 High: ${{ steps.parse-audit.outputs.high }} + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} + + Please find the JSON file in the [summary page](${{ github.marketplace_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). + + + ManualVulnerability-CheckOn-plugins-code: + if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'plugins-vulnerability' || github.event.label.name == 'check-vulnerability') }} + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix plugins install + + - name: Running security audit + run: npm --prefix plugins audit --json > plugins-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' plugins-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: plugins-audit-report + path: plugins-audit.json + + - name: Create or update PR comment + uses: peter-evans/create-or-update-comment@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ### Security Audit Report Of Plugins directory + **Node module vulnerabilities summary:** + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} + 🟠 High: ${{ steps.parse-audit.outputs.high }} + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} + + Please find the JSON file in the [summary page](${{ github.plugins_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). + + + + ManualVulnerability-CheckOn-cypress-code: + if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'cypress-vulnerability' || github.event.label.name == 'check-vulnerability') }} + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm --prefix cypress-tests install + + - name: Running security audit + run: npm --prefix cypress-tests audit --json > cypress-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' cypress-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: cypress-audit-report + path: cypress-audit.json + + - name: Create or update PR comment + uses: peter-evans/create-or-update-comment@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ### Security Audit Report Of Cypress directory + **Node module vulnerabilities summary:** + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} + 🟠 High: ${{ steps.parse-audit.outputs.high }} + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} + + Please find the JSON file in the [summary page](${{ github.cypress_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). + + + + ManualVulnerability-CheckOn-root-code: + if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'root-vulnerability' || github.event.label.name == 'check-vulnerability') }} + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Use Node.js 18.18.2 + uses: actions/setup-node@v3 + with: + node-version: 18.18.2 + + - name: Install dependencies + run: npm install + + - name: Running security audit + run: npm audit --json > root-audit.json + continue-on-error: true + + - name: Parse audit summary + id: parse-audit + run: | + vulnerabilities=$(jq '.metadata.vulnerabilities' root-audit.json) + moderate=$(echo $vulnerabilities | jq '.moderate') + high=$(echo $vulnerabilities | jq '.high') + critical=$(echo $vulnerabilities | jq '.critical') + echo "::set-output name=moderate::$moderate" + echo "::set-output name=high::$high" + echo "::set-output name=critical::$critical" + + - name: Upload audit report + uses: actions/upload-artifact@v3 + with: + name: root-audit-report + path: root-audit.json + + - name: Create or update PR comment + uses: peter-evans/create-or-update-comment@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ### Security Audit Report Of Root directory + **Node module vulnerabilities summary:** + 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} + 🟠 High: ${{ steps.parse-audit.outputs.high }} + 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} + + Please find the JSON file in the [summary page](${{ github.root_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). \ No newline at end of file