From 4ec57d5141f336746a4b3f02a516e6d5f5ee5634 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Thu, 20 Jun 2024 22:31:23 -0400 Subject: [PATCH] [CI] Add supply chain security job for each service (#182) # Description Added the GuardDog CI job to each service Closes #136 ## How to Test Observe the green checkmarks for each `Supply Chain Security` CI job ## Checklist - [ ] The code includes tests if relevant - [x] I have *actually* self-reviewed my changes and done QA --- .github/workflows/algorithm.yml | 18 ++++++++++++++++-- .github/workflows/backend.yml | 23 +++++++++++++++++++++-- .github/workflows/datalayer.yml | 4 ++-- .github/workflows/frontend.yml | 19 +++++++++++++++++-- 4 files changed, 56 insertions(+), 8 deletions(-) diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index 4f3adbf6..d1dd337e 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -58,8 +58,8 @@ jobs: - name: Test run: docker compose exec ${{ matrix.service }} pytest - security: - name: Security + sast: + name: Static Application Security Testing runs-on: ubuntu-latest strategy: matrix: @@ -78,3 +78,17 @@ jobs: - name: Test run: bandit -c .bandit -ll -ii -n 3 -a file -r src/ + + supply: + name: Supply Chain Security + runs-on: ubuntu-latest + strategy: + matrix: + service: [search, recommend] + fail-fast: false + steps: + - uses: actions/checkout@v4 + + - uses: pypa/gh-action-pip-audit@v1.0.8 + with: + inputs: apps/algorithm/${{ matrix.service }}/requirements.txt diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index fb9e043b..9b2ad3b3 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -78,8 +78,8 @@ jobs: - name: Test run: docker compose exec ${{ matrix.service == 'lib' && 'user' || matrix.service }} npm run ${{ matrix.service == 'lib' && '--prefix ../lib' || '' }} test:ci - security: - name: Security + sast: + name: Static Application Security Testing runs-on: ubuntu-latest strategy: matrix: @@ -92,3 +92,22 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/backend/${{ matrix.service }}' + + supply: + name: Supply Chain Security + runs-on: ubuntu-latest + strategy: + matrix: + service: [user, listing, review, message, lib] + fail-fast: false + defaults: + run: + working-directory: apps/backend/${{ matrix.service }} + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - run: npm audit --audit-level high diff --git a/.github/workflows/datalayer.yml b/.github/workflows/datalayer.yml index e50f5dc3..613e83a5 100644 --- a/.github/workflows/datalayer.yml +++ b/.github/workflows/datalayer.yml @@ -58,8 +58,8 @@ jobs: - name: Build run: cargo build - security: - name: Security + supply: + name: Supply Chain Security runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 5020c987..db008765 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -77,8 +77,8 @@ jobs: - name: Test run: npm run build - security: - name: Security + sast: + name: Static Application Security Testing runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -87,3 +87,18 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/frontend' + + supply: + name: Supply Chain Security + runs-on: ubuntu-latest + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - run: npm audit --audit-level high