Skip to content
Security Scan

fix: Update Docker configuration with proper permissions and user set… #11

Sign in to view logs

fix: Update Docker configuration with proper permissions and user set…

fix: Update Docker configuration with proper permissions and user set… #11

Workflow file for this run

.github/workflows/security.yml at fd60865
name: Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * *' # Run daily
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Check for SNYK_TOKEN
id: check_token
run: |
if [ "${{ secrets.SNYK_TOKEN }}" != '' ]; then
echo "has_token=true" >> $GITHUB_OUTPUT
else
echo "has_token=false" >> $GITHUB_OUTPUT
fi
- name: Run Snyk to check for vulnerabilities
if: steps.check_token.outputs.has_token == 'true'
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --all-projects
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build images for scanning
run: |
docker-compose build
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Run Trivy vulnerability scanner in image mode
uses: aquasecurity/trivy-action@master
with:
image-ref: 'todo-app-backend:latest'
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Run npm audit
run: |
cd backend && npm audit --json > ../backend-audit.json || true
cd ../frontend && npm audit --json > ../frontend-audit.json || true
- name: Upload security scan results
uses: actions/upload-artifact@v3
if: always()
with:
name: security-scan-results
path: |
trivy-results.sarif
backend-audit.json
frontend-audit.json