diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index 4f3adbf6..d1dd337e 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -58,8 +58,8 @@ jobs: - name: Test run: docker compose exec ${{ matrix.service }} pytest - security: - name: Security + sast: + name: Static Application Security Testing runs-on: ubuntu-latest strategy: matrix: @@ -78,3 +78,17 @@ jobs: - name: Test run: bandit -c .bandit -ll -ii -n 3 -a file -r src/ + + supply: + name: Supply Chain Security + runs-on: ubuntu-latest + strategy: + matrix: + service: [search, recommend] + fail-fast: false + steps: + - uses: actions/checkout@v4 + + - uses: pypa/gh-action-pip-audit@v1.0.8 + with: + inputs: apps/algorithm/${{ matrix.service }}/requirements.txt diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index fb9e043b..9b2ad3b3 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -78,8 +78,8 @@ jobs: - name: Test run: docker compose exec ${{ matrix.service == 'lib' && 'user' || matrix.service }} npm run ${{ matrix.service == 'lib' && '--prefix ../lib' || '' }} test:ci - security: - name: Security + sast: + name: Static Application Security Testing runs-on: ubuntu-latest strategy: matrix: @@ -92,3 +92,22 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/backend/${{ matrix.service }}' + + supply: + name: Supply Chain Security + runs-on: ubuntu-latest + strategy: + matrix: + service: [user, listing, review, message, lib] + fail-fast: false + defaults: + run: + working-directory: apps/backend/${{ matrix.service }} + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - run: npm audit --audit-level high diff --git a/.github/workflows/datalayer.yml b/.github/workflows/datalayer.yml index e50f5dc3..613e83a5 100644 --- a/.github/workflows/datalayer.yml +++ b/.github/workflows/datalayer.yml @@ -58,8 +58,8 @@ jobs: - name: Build run: cargo build - security: - name: Security + supply: + name: Supply Chain Security runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 5020c987..db008765 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -77,8 +77,8 @@ jobs: - name: Test run: npm run build - security: - name: Security + sast: + name: Static Application Security Testing runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -87,3 +87,18 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/frontend' + + supply: + name: Supply Chain Security + runs-on: ubuntu-latest + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - run: npm audit --audit-level high