mirror of
https://github.com/ToolJet/ToolJet
synced 2026-04-21 13:37:28 +00:00
1647 lines
58 KiB
YAML
1647 lines
58 KiB
YAML
name: Vulnerability CI
|
||
|
||
# Controls when the workflow will run
|
||
on:
|
||
pull_request:
|
||
types: [labeled, unlabeled, closed]
|
||
|
||
# Allows you to run this workflow manually from the Actions tab
|
||
workflow_dispatch:
|
||
|
||
# Schedule the workflow to run weekly every Monday at 5:30 AM UTC
|
||
|
||
schedule:
|
||
- cron: "30 5 * * 1"
|
||
|
||
jobs:
|
||
PeriodicVulnerability-CheckOn-frontend-code:
|
||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: refs/heads/lts-3.16
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix frontend install
|
||
|
||
- name: Running security audit (before fix)
|
||
run: npm --prefix frontend audit --json > Periodic-frontend-audit-before.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (before fix)
|
||
id: parse-audit-before
|
||
run: |
|
||
if [ -f Periodic-frontend-audit-before.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit-before.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Attempt to fix vulnerabilities
|
||
run: npm --prefix frontend audit fix
|
||
continue-on-error: true
|
||
|
||
- name: Running security audit (after fix)
|
||
run: npm --prefix frontend audit --json > Periodic-frontend-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (after fix)
|
||
id: parse-audit
|
||
run: |
|
||
if [ -f Periodic-frontend-audit.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Check for changes
|
||
id: check-changes
|
||
run: |
|
||
git add frontend/package-lock.json
|
||
if git diff --staged --quiet; then
|
||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Create Pull Request
|
||
if: steps.check-changes.outputs.has_changes == 'true'
|
||
id: create-pr
|
||
uses: peter-evans/create-pull-request@v5
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
add-paths: |
|
||
frontend/package-lock.json
|
||
commit-message: "fix: automated security fixes for frontend dependencies"
|
||
branch: automated-security-fixes/frontend-${{ github.run_id }}
|
||
base: lts-3.16
|
||
title: "[Security] Automated Dependency Fixes - Frontend"
|
||
body: |
|
||
## Automated Security Fixes
|
||
|
||
This PR contains automated dependency updates generated via npm audit fix.
|
||
|
||
### Scope
|
||
Frontend
|
||
|
||
### Vulnerabilities
|
||
**Before:**
|
||
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
|
||
- High: ${{ steps.parse-audit-before.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
|
||
|
||
**After:**
|
||
- Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
- High: ${{ steps.parse-audit.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
⚠️ Some vulnerabilities may remain and require manual upgrades.
|
||
|
||
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
|
||
|
||
Generated by: Vulnerability CI
|
||
reviewers: kavinvenkatachalam,johnsoncherian
|
||
labels: security,automated
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: Periodic-frontend-audit-report
|
||
path: Periodic-frontend-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Determine notification color
|
||
id: determine-color
|
||
run: |
|
||
critical=${{ steps.parse-audit.outputs.critical }}
|
||
high=${{ steps.parse-audit.outputs.high }}
|
||
moderate=${{ steps.parse-audit.outputs.moderate }}
|
||
total=$((critical + high + moderate))
|
||
|
||
if [ "$critical" -gt 0 ]; then
|
||
echo "color=#FF0000" >> $GITHUB_OUTPUT
|
||
elif [ "$high" -gt 0 ]; then
|
||
echo "color=#FFA500" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "color=#FFD700" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
echo "total=$total" >> $GITHUB_OUTPUT
|
||
|
||
- name: Send Slack Notification
|
||
run: |
|
||
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
|
||
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
|
||
|
||
if [ "$PR_CREATED" == "true" ]; then
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "🔧 *Automated Fix PR Created*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
|
||
}
|
||
]
|
||
}'
|
||
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
|
||
else
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "ℹ️ *No auto-fixable vulnerabilities found*"
|
||
}
|
||
}'
|
||
fi
|
||
|
||
payload=$(cat <<EOF
|
||
{
|
||
"attachments": [
|
||
{
|
||
"color": "${{ steps.determine-color.outputs.color }}",
|
||
"blocks": [
|
||
{
|
||
"type": "header",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "🔒 Periodic Security Audit Report",
|
||
"emoji": true
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Repository:*\\n${{ github.repository }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Directory:*\\nFrontend"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Branch:*\\nlts-3.16"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Scan Time:*\\n$(date -u +"%Y-%m-%d %H:%M UTC")"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "*Node Module Vulnerabilities:*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🔴 *Critical:*\\n${{ steps.parse-audit.outputs.critical }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟠 *High:*\\n${{ steps.parse-audit.outputs.high }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟡 *Moderate:*\\n${{ steps.parse-audit.outputs.moderate }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
|
||
}
|
||
]
|
||
}${PR_SECTION},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "actions",
|
||
"elements": [
|
||
{
|
||
"type": "button",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "📥 Download Full Report",
|
||
"emoji": true
|
||
},
|
||
"url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
EOF
|
||
)
|
||
|
||
response=$(curl -s -w "%{http_code}" -X POST \
|
||
-H 'Content-type: application/json' \
|
||
--data "$payload" \
|
||
"${{ secrets.SLACK_WEBHOOK_URL_VUR }}")
|
||
|
||
http_code="${response: -3}"
|
||
if [ "$http_code" != "200" ]; then
|
||
echo "Slack notification failed with HTTP $http_code"
|
||
exit 1
|
||
fi
|
||
|
||
echo "Slack notification sent successfully"
|
||
|
||
PeriodicVulnerability-CheckOn-server-code:
|
||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: refs/heads/lts-3.16
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix server install
|
||
|
||
- name: Running security audit (before fix)
|
||
run: npm --prefix server audit --json > Periodic-server-audit-before.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (before fix)
|
||
id: parse-audit-before
|
||
run: |
|
||
if [ -f Periodic-server-audit-before.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit-before.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Attempt to fix vulnerabilities
|
||
run: npm --prefix server audit fix
|
||
continue-on-error: true
|
||
|
||
- name: Running security audit (after fix)
|
||
run: npm --prefix server audit --json > Periodic-server-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (after fix)
|
||
id: parse-audit
|
||
run: |
|
||
if [ -f Periodic-server-audit.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Check for changes
|
||
id: check-changes
|
||
run: |
|
||
git add server/package-lock.json
|
||
if git diff --staged --quiet; then
|
||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Create Pull Request
|
||
if: steps.check-changes.outputs.has_changes == 'true'
|
||
id: create-pr
|
||
uses: peter-evans/create-pull-request@v5
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
add-paths: |
|
||
server/package-lock.json
|
||
commit-message: "fix: automated security fixes for server dependencies"
|
||
branch: automated-security-fixes/server-${{ github.run_id }}
|
||
base: lts-3.16
|
||
title: "[Security] Automated Dependency Fixes - Server"
|
||
body: |
|
||
## Automated Security Fixes
|
||
|
||
This PR contains automated dependency updates generated via npm audit fix.
|
||
|
||
### Scope
|
||
Server
|
||
|
||
### Vulnerabilities
|
||
**Before:**
|
||
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
|
||
- High: ${{ steps.parse-audit-before.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
|
||
|
||
**After:**
|
||
- Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
- High: ${{ steps.parse-audit.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
⚠️ Some vulnerabilities may remain and require manual upgrades.
|
||
|
||
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
|
||
|
||
Generated by: Vulnerability CI
|
||
reviewers: gsmithun4
|
||
labels: security,automated
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: Periodic-server-audit-report
|
||
path: Periodic-server-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Determine notification color
|
||
id: determine-color
|
||
run: |
|
||
critical=${{ steps.parse-audit.outputs.critical }}
|
||
high=${{ steps.parse-audit.outputs.high }}
|
||
moderate=${{ steps.parse-audit.outputs.moderate }}
|
||
total=$((critical + high + moderate))
|
||
|
||
if [ "$critical" -gt 0 ]; then
|
||
echo "color=#FF0000" >> $GITHUB_OUTPUT
|
||
elif [ "$high" -gt 0 ]; then
|
||
echo "color=#FFA500" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "color=#FFD700" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
echo "total=$total" >> $GITHUB_OUTPUT
|
||
|
||
- name: Send Slack Notification
|
||
run: |
|
||
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
|
||
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
|
||
|
||
if [ "$PR_CREATED" == "true" ]; then
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "🔧 *Automated Fix PR Created*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
|
||
}
|
||
]
|
||
}'
|
||
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
|
||
else
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "ℹ️ *No auto-fixable vulnerabilities found*"
|
||
}
|
||
}'
|
||
fi
|
||
|
||
payload=$(cat <<EOF
|
||
{
|
||
"attachments": [
|
||
{
|
||
"color": "${{ steps.determine-color.outputs.color }}",
|
||
"blocks": [
|
||
{
|
||
"type": "header",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "🔒 Periodic Security Audit Report",
|
||
"emoji": true
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Repository:*\\n${{ github.repository }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Directory:*\\nServer"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Branch:*\\nlts-3.16"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Scan Time:*\\n$(date -u +"%Y-%m-%d %H:%M UTC")"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "*Node Module Vulnerabilities:*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🔴 *Critical:*\\n${{ steps.parse-audit.outputs.critical }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟠 *High:*\\n${{ steps.parse-audit.outputs.high }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟡 *Moderate:*\\n${{ steps.parse-audit.outputs.moderate }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
|
||
}
|
||
]
|
||
}${PR_SECTION},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "actions",
|
||
"elements": [
|
||
{
|
||
"type": "button",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "📥 Download Full Report",
|
||
"emoji": true
|
||
},
|
||
"url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
EOF
|
||
)
|
||
|
||
response=$(curl -s -w "%{http_code}" -X POST \
|
||
-H 'Content-type: application/json' \
|
||
--data "$payload" \
|
||
"${{ secrets.SLACK_WEBHOOK_URL_VUR }}")
|
||
|
||
http_code="${response: -3}"
|
||
if [ "$http_code" != "200" ]; then
|
||
echo "Slack notification failed with HTTP $http_code"
|
||
exit 1
|
||
fi
|
||
|
||
echo "Slack notification sent successfully"
|
||
|
||
PeriodicVulnerability-CheckOn-marketplace-code:
|
||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: refs/heads/lts-3.16
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix marketplace install
|
||
|
||
- name: Running security audit
|
||
run: npm --prefix marketplace audit --json > Periodic-marketplace-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary
|
||
id: parse-audit
|
||
run: |
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-marketplace-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
|
||
- name: Upload audit report
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: Periodic-marketplace-audit-report
|
||
path: Periodic-marketplace-audit.json
|
||
retention-days: 7
|
||
|
||
- name: Determine notification color
|
||
id: determine-color
|
||
run: |
|
||
critical=${{ steps.parse-audit.outputs.critical }}
|
||
high=${{ steps.parse-audit.outputs.high }}
|
||
moderate=${{ steps.parse-audit.outputs.moderate }}
|
||
total=$((critical + high + moderate))
|
||
|
||
if [ "$critical" -gt 0 ]; then
|
||
echo "color=#FF0000" >> $GITHUB_OUTPUT
|
||
elif [ "$high" -gt 0 ]; then
|
||
echo "color=#FFA500" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "color=#FFD700" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
echo "total=$total" >> $GITHUB_OUTPUT
|
||
|
||
- name: Send Slack Notification
|
||
run: |
|
||
payload=$(cat <<EOF
|
||
{
|
||
"attachments": [
|
||
{
|
||
"color": "${{ steps.determine-color.outputs.color }}",
|
||
"blocks": [
|
||
{
|
||
"type": "header",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "🔒 Periodic Security Audit Report",
|
||
"emoji": true
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Repository:*\\n${{ github.repository }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Directory:*\\nMarketplace"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Branch:*\\nlts-3.16"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Scan Time:*\\n$(date -u +"%Y-%m-%d %H:%M UTC")"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "*Node Module Vulnerabilities:*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🔴 *Critical:*\\n${{ steps.parse-audit.outputs.critical }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟠 *High:*\\n${{ steps.parse-audit.outputs.high }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟡 *Moderate:*\\n${{ steps.parse-audit.outputs.moderate }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "actions",
|
||
"elements": [
|
||
{
|
||
"type": "button",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "📥 Download Full Report",
|
||
"emoji": true
|
||
},
|
||
"url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
EOF
|
||
)
|
||
|
||
response=$(curl -s -w "%{http_code}" -X POST \
|
||
-H 'Content-type: application/json' \
|
||
--data "$payload" \
|
||
"${{ secrets.SLACK_WEBHOOK_URL_VUR }}")
|
||
|
||
http_code="${response: -3}"
|
||
if [ "$http_code" != "200" ]; then
|
||
echo "Slack notification failed with HTTP $http_code"
|
||
exit 1
|
||
fi
|
||
|
||
echo "Slack notification sent successfully"
|
||
|
||
PeriodicVulnerability-CheckOn-plugins-code:
|
||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: refs/heads/main
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix plugins install
|
||
|
||
- name: Running security audit (before fix)
|
||
run: npm --prefix plugins audit --json > Periodic-plugins-audit-before.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (before fix)
|
||
id: parse-audit-before
|
||
run: |
|
||
if [ -f Periodic-plugins-audit-before.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit-before.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Attempt to fix vulnerabilities
|
||
run: npm --prefix plugins audit fix
|
||
continue-on-error: true
|
||
|
||
- name: Running security audit (after fix)
|
||
run: npm --prefix plugins audit --json > Periodic-plugins-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (after fix)
|
||
id: parse-audit
|
||
run: |
|
||
if [ -f Periodic-plugins-audit.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Check for changes
|
||
id: check-changes
|
||
run: |
|
||
git add plugins/package-lock.json
|
||
if git diff --staged --quiet; then
|
||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Create Pull Request
|
||
if: steps.check-changes.outputs.has_changes == 'true'
|
||
id: create-pr
|
||
uses: peter-evans/create-pull-request@v5
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
add-paths: |
|
||
plugins/package-lock.json
|
||
commit-message: "fix: automated security fixes for plugins dependencies"
|
||
branch: automated-security-fixes/plugins-${{ github.run_id }}
|
||
base: main
|
||
title: "[Security] Automated Dependency Fixes - Plugins"
|
||
body: |
|
||
## Automated Security Fixes
|
||
|
||
This PR contains automated dependency updates generated via npm audit fix.
|
||
|
||
### Scope
|
||
Plugins
|
||
|
||
### Vulnerabilities
|
||
**Before:**
|
||
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
|
||
- High: ${{ steps.parse-audit-before.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
|
||
|
||
**After:**
|
||
- Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
- High: ${{ steps.parse-audit.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
⚠️ Some vulnerabilities may remain and require manual upgrades.
|
||
|
||
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
|
||
|
||
Generated by: Vulnerability CI
|
||
reviewers: gsmithun4
|
||
labels: security,automated
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: Periodic-plugins-audit-report
|
||
path: Periodic-plugins-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Determine notification color
|
||
id: determine-color
|
||
run: |
|
||
critical=${{ steps.parse-audit.outputs.critical }}
|
||
high=${{ steps.parse-audit.outputs.high }}
|
||
moderate=${{ steps.parse-audit.outputs.moderate }}
|
||
total=$((critical + high + moderate))
|
||
|
||
if [ "$critical" -gt 0 ]; then
|
||
echo "color=#FF0000" >> $GITHUB_OUTPUT
|
||
elif [ "$high" -gt 0 ]; then
|
||
echo "color=#FFA500" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "color=#FFD700" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
echo "total=$total" >> $GITHUB_OUTPUT
|
||
|
||
- name: Send Slack Notification
|
||
run: |
|
||
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
|
||
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
|
||
|
||
if [ "$PR_CREATED" == "true" ]; then
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "🔧 *Automated Fix PR Created*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
|
||
}
|
||
]
|
||
}'
|
||
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
|
||
else
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "ℹ️ *No auto-fixable vulnerabilities found*"
|
||
}
|
||
}'
|
||
fi
|
||
|
||
payload=$(cat <<EOF
|
||
{
|
||
"attachments": [
|
||
{
|
||
"color": "${{ steps.determine-color.outputs.color }}",
|
||
"blocks": [
|
||
{
|
||
"type": "header",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "🔒 Periodic Security Audit Report",
|
||
"emoji": true
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Repository:*\\n${{ github.repository }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Directory:*\\nPlugins"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Branch:*\\nmain"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Scan Time:*\\n$(date -u +"%Y-%m-%d %H:%M UTC")"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "*Node Module Vulnerabilities:*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🔴 *Critical:*\\n${{ steps.parse-audit.outputs.critical }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟠 *High:*\\n${{ steps.parse-audit.outputs.high }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟡 *Moderate:*\\n${{ steps.parse-audit.outputs.moderate }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
|
||
}
|
||
]
|
||
}${PR_SECTION},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "actions",
|
||
"elements": [
|
||
{
|
||
"type": "button",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "📥 Download Full Report",
|
||
"emoji": true
|
||
},
|
||
"url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
EOF
|
||
)
|
||
|
||
response=$(curl -s -w "%{http_code}" -X POST \
|
||
-H 'Content-type: application/json' \
|
||
--data "$payload" \
|
||
"${{ secrets.SLACK_WEBHOOK_URL_VUR }}")
|
||
|
||
http_code="${response: -3}"
|
||
if [ "$http_code" != "200" ]; then
|
||
echo "Slack notification failed with HTTP $http_code"
|
||
exit 1
|
||
fi
|
||
|
||
echo "Slack notification sent successfully"
|
||
|
||
PeriodicVulnerability-CheckOn-root-code:
|
||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: refs/heads/lts-3.16
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm install
|
||
|
||
- name: Running security audit (before fix)
|
||
run: npm audit --json > Periodic-root-audit-before.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (before fix)
|
||
id: parse-audit-before
|
||
run: |
|
||
if [ -f Periodic-root-audit-before.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit-before.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Attempt to fix vulnerabilities
|
||
run: npm audit fix
|
||
continue-on-error: true
|
||
|
||
- name: Running security audit (after fix)
|
||
run: npm audit --json > Periodic-root-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary (after fix)
|
||
id: parse-audit
|
||
run: |
|
||
if [ -f Periodic-root-audit.json ]; then
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "moderate=0" >> $GITHUB_OUTPUT
|
||
echo "high=0" >> $GITHUB_OUTPUT
|
||
echo "critical=0" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Check for changes
|
||
id: check-changes
|
||
run: |
|
||
git add package-lock.json
|
||
if git diff --staged --quiet; then
|
||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
- name: Create Pull Request
|
||
if: steps.check-changes.outputs.has_changes == 'true'
|
||
id: create-pr
|
||
uses: peter-evans/create-pull-request@v5
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
add-paths: |
|
||
package-lock.json
|
||
commit-message: "fix: automated security fixes for root dependencies"
|
||
branch: automated-security-fixes/root-${{ github.run_id }}
|
||
base: lts-3.16
|
||
title: "[Security] Automated Dependency Fixes - Root"
|
||
body: |
|
||
## Automated Security Fixes
|
||
|
||
This PR contains automated dependency updates generated via npm audit fix.
|
||
|
||
### Scope
|
||
Root
|
||
|
||
### Vulnerabilities
|
||
**Before:**
|
||
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
|
||
- High: ${{ steps.parse-audit-before.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
|
||
|
||
**After:**
|
||
- Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
- High: ${{ steps.parse-audit.outputs.high }}
|
||
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
⚠️ Some vulnerabilities may remain and require manual upgrades.
|
||
|
||
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
|
||
|
||
Generated by: Vulnerability CI
|
||
reviewers: gsmithun4
|
||
labels: security,automated
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: Periodic-root-audit-report
|
||
path: Periodic-root-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Determine notification color
|
||
id: determine-color
|
||
run: |
|
||
critical=${{ steps.parse-audit.outputs.critical }}
|
||
high=${{ steps.parse-audit.outputs.high }}
|
||
moderate=${{ steps.parse-audit.outputs.moderate }}
|
||
total=$((critical + high + moderate))
|
||
|
||
if [ "$critical" -gt 0 ]; then
|
||
echo "color=#FF0000" >> $GITHUB_OUTPUT
|
||
elif [ "$high" -gt 0 ]; then
|
||
echo "color=#FFA500" >> $GITHUB_OUTPUT
|
||
else
|
||
echo "color=#FFD700" >> $GITHUB_OUTPUT
|
||
fi
|
||
|
||
echo "total=$total" >> $GITHUB_OUTPUT
|
||
|
||
- name: Send Slack Notification
|
||
run: |
|
||
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
|
||
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
|
||
|
||
if [ "$PR_CREATED" == "true" ]; then
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "🔧 *Automated Fix PR Created*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
|
||
}
|
||
]
|
||
}'
|
||
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
|
||
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
|
||
else
|
||
PR_SECTION=' ,
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "ℹ️ *No auto-fixable vulnerabilities found*"
|
||
}
|
||
}'
|
||
fi
|
||
|
||
payload=$(cat <<EOF
|
||
{
|
||
"attachments": [
|
||
{
|
||
"color": "${{ steps.determine-color.outputs.color }}",
|
||
"blocks": [
|
||
{
|
||
"type": "header",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "🔒 Periodic Security Audit Report",
|
||
"emoji": true
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Repository:*\\n${{ github.repository }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Directory:*\\nRoot"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Branch:*\\nlts-3.16"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "*Scan Time:*\\n$(date -u +"%Y-%m-%d %H:%M UTC")"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "section",
|
||
"text": {
|
||
"type": "mrkdwn",
|
||
"text": "*Node Module Vulnerabilities:*"
|
||
}
|
||
},
|
||
{
|
||
"type": "section",
|
||
"fields": [
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🔴 *Critical:*\\n${{ steps.parse-audit.outputs.critical }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟠 *High:*\\n${{ steps.parse-audit.outputs.high }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "🟡 *Moderate:*\\n${{ steps.parse-audit.outputs.moderate }}"
|
||
},
|
||
{
|
||
"type": "mrkdwn",
|
||
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
|
||
}
|
||
]
|
||
}${PR_SECTION},
|
||
{
|
||
"type": "divider"
|
||
},
|
||
{
|
||
"type": "actions",
|
||
"elements": [
|
||
{
|
||
"type": "button",
|
||
"text": {
|
||
"type": "plain_text",
|
||
"text": "📥 Download Full Report",
|
||
"emoji": true
|
||
},
|
||
"url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
||
"style": "primary"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
EOF
|
||
)
|
||
|
||
response=$(curl -s -w "%{http_code}" -X POST \
|
||
-H 'Content-type: application/json' \
|
||
--data "$payload" \
|
||
"${{ secrets.SLACK_WEBHOOK_URL_VUR }}")
|
||
|
||
http_code="${response: -3}"
|
||
if [ "$http_code" != "200" ]; then
|
||
echo "Slack notification failed with HTTP $http_code"
|
||
exit 1
|
||
fi
|
||
|
||
echo "Slack notification sent successfully"
|
||
|
||
ManualVulnerability-CheckOn-frontend-code:
|
||
if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'frontend-vulnerability' || github.event.label.name == 'check-vulnerability') }}
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: ${{ github.event.pull_request.head.ref }}
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix frontend install
|
||
|
||
- name: Running security audit
|
||
run: npm --prefix frontend audit --json > frontend-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary
|
||
id: parse-audit
|
||
run: |
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' frontend-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: frontend-audit-report
|
||
path: frontend-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Create or update PR comment
|
||
uses: peter-evans/create-or-update-comment@v1
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
repository: ${{ github.repository }}
|
||
issue-number: ${{ github.event.pull_request.number }}
|
||
body: |
|
||
### Security Audit Report Of Frontend directory
|
||
**Node module vulnerabilities summary:**
|
||
🔴 Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
🟠 High: ${{ steps.parse-audit.outputs.high }}
|
||
🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
Please find the JSON file in the [summary page](${{ github.frontend_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
|
||
|
||
ManualVulnerability-CheckOn-server-code:
|
||
if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'server-vulnerability' || github.event.label.name == 'check-vulnerability') }}
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: ${{ github.event.pull_request.head.ref }}
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix server install
|
||
|
||
- name: Running security audit
|
||
run: npm --prefix server audit --json > server-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary
|
||
id: parse-audit
|
||
run: |
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' server-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: server-audit-report
|
||
path: server-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Create or update PR comment
|
||
uses: peter-evans/create-or-update-comment@v1
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
repository: ${{ github.repository }}
|
||
issue-number: ${{ github.event.pull_request.number }}
|
||
body: |
|
||
### Security Audit Report Of Server directory
|
||
**Node module vulnerabilities summary:**
|
||
🔴 Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
🟠 High: ${{ steps.parse-audit.outputs.high }}
|
||
🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
Please find the JSON file in the [summary page](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
|
||
|
||
ManualVulnerability-CheckOn-marketplace-code:
|
||
if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'marketplace-vulnerability' || github.event.label.name == 'check-vulnerability') }}
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: ${{ github.event.pull_request.head.ref }}
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix marketplace install
|
||
|
||
- name: Running security audit
|
||
run: npm --prefix marketplace audit --json > marketplace-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary
|
||
id: parse-audit
|
||
run: |
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' marketplace-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: marketplace-audit-report
|
||
path: marketplace-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Create or update PR comment
|
||
uses: peter-evans/create-or-update-comment@v1
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
repository: ${{ github.repository }}
|
||
issue-number: ${{ github.event.pull_request.number }}
|
||
body: |
|
||
### Security Audit Report Of Marketplace directory
|
||
**Node module vulnerabilities summary:**
|
||
🔴 Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
🟠 High: ${{ steps.parse-audit.outputs.high }}
|
||
🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
Please find the JSON file in the [summary page](${{ github.marketplace_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
|
||
|
||
ManualVulnerability-CheckOn-plugins-code:
|
||
if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'plugins-vulnerability' || github.event.label.name == 'check-vulnerability') }}
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: ${{ github.event.pull_request.head.ref }}
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm --prefix plugins install
|
||
|
||
- name: Running security audit
|
||
run: npm --prefix plugins audit --json > plugins-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary
|
||
id: parse-audit
|
||
run: |
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' plugins-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: plugins-audit-report
|
||
path: plugins-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Create or update PR comment
|
||
uses: peter-evans/create-or-update-comment@v1
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
repository: ${{ github.repository }}
|
||
issue-number: ${{ github.event.pull_request.number }}
|
||
body: |
|
||
### Security Audit Report Of Plugins directory
|
||
**Node module vulnerabilities summary:**
|
||
🔴 Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
🟠 High: ${{ steps.parse-audit.outputs.high }}
|
||
🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
Please find the JSON file in the [summary page](${{ github.plugins_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
|
||
|
||
ManualVulnerability-CheckOn-root-code:
|
||
if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'root-vulnerability' || github.event.label.name == 'check-vulnerability') }}
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
with:
|
||
ref: ${{ github.event.pull_request.head.ref }}
|
||
|
||
- name: Use Node.js 22.15.1
|
||
uses: actions/setup-node@v3
|
||
with:
|
||
node-version: 22.15.1
|
||
|
||
- name: Install dependencies
|
||
run: npm install
|
||
|
||
- name: Running security audit
|
||
run: npm audit --json > root-audit.json
|
||
continue-on-error: true
|
||
|
||
- name: Parse audit summary
|
||
id: parse-audit
|
||
run: |
|
||
vulnerabilities=$(jq '.metadata.vulnerabilities' root-audit.json)
|
||
moderate=$(echo $vulnerabilities | jq '.moderate')
|
||
high=$(echo $vulnerabilities | jq '.high')
|
||
critical=$(echo $vulnerabilities | jq '.critical')
|
||
echo "moderate=$moderate" >> $GITHUB_OUTPUT
|
||
echo "high=$high" >> $GITHUB_OUTPUT
|
||
echo "critical=$critical" >> $GITHUB_OUTPUT
|
||
|
||
- name: Upload audit report
|
||
if: always()
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: root-audit-report
|
||
path: root-audit.json
|
||
retention-days: 7
|
||
if-no-files-found: warn
|
||
|
||
- name: Create or update PR comment
|
||
uses: peter-evans/create-or-update-comment@v1
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
repository: ${{ github.repository }}
|
||
issue-number: ${{ github.event.pull_request.number }}
|
||
body: |
|
||
### Security Audit Report Of Root directory
|
||
**Node module vulnerabilities summary:**
|
||
🔴 Critical: ${{ steps.parse-audit.outputs.critical }}
|
||
🟠 High: ${{ steps.parse-audit.outputs.high }}
|
||
🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }}
|
||
|
||
Please find the JSON file in the [summary page](${{ github.root_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
|