From 5ba3463b4816ee0a9b43b20d565f9ae850f234c6 Mon Sep 17 00:00:00 2001 From: "takahashi6644@gmail.com" <104863640+seaniesean@users.noreply.github.com> Date: Wed, 31 Jan 2024 15:45:26 +0800 Subject: [PATCH] lint, dast,sast --- .github/workflows/lint.yml | 39 +++++++++++++++++++ .github/workflows/sast-scan.yml | 37 ++++++++++++++++++ .github/workflows/zap-scan.yml | 31 +++++++++++++++ github/workflows/build.yml | 69 --------------------------------- scripts/jshint-script.sh | 5 +++ scripts/zap-script.sh | 6 +++ 6 files changed, 118 insertions(+), 69 deletions(-) create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/sast-scan.yml create mode 100644 .github/workflows/zap-scan.yml delete mode 100644 github/workflows/build.yml create mode 100644 scripts/jshint-script.sh create mode 100644 scripts/zap-script.sh diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 000000000..5ded50483 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,39 @@ +name: "linting-tool-scan" + +on: + push: + branches: [githubcicd] + +jobs: + test: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [16.x] + + steps: + - uses: actions/checkout@v2 + + - name: Install Dependencies + if: steps.cache-nodemodules.outputs.cache-hit != 'true' + run: | + npm ci --force + + - name: Installing JSHint + run: | + sudo npm install -g jshint + + - name: Change script permission + run: | + chmod +x scripts/jshint-script.sh + + - name: Run scan with JSHint + run: scripts/jshint-script.sh + + - name: Archive production artifacts + uses: actions/upload-artifact@v2 + with: + name: linting tool report + path: | + ./JSHint-report diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml new file mode 100644 index 000000000..eca7254ff --- /dev/null +++ b/.github/workflows/sast-scan.yml @@ -0,0 +1,37 @@ +name: "sast-scan" + +on: + push: + branches: [githubcicd] + +jobs: + test: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [16.x] + + steps: + - uses: actions/checkout@v2 + + - name: Install Dependencies + if: steps.cache-nodemodules.outputs.cache-hit != 'true' + run: | + npm ci --force + + - name: OWASP Dependency Check + run: | + wget https://github.com/jeremylong/DependencyCheck/releases/download/v7.2.0/dependency-check-7.2.0-release.zip + unzip dependency-check-7.2.0-release.zip + + - name: Run scan with ODC + run: | + dependency-check/bin/dependency-check.sh --project "bitcoin" --scan . > ODC-report + + - name: Archive production artifacts + uses: actions/upload-artifact@v2 + with: + name: sast report + path: | + ./ODC-report diff --git a/.github/workflows/zap-scan.yml b/.github/workflows/zap-scan.yml new file mode 100644 index 000000000..1856e79a5 --- /dev/null +++ b/.github/workflows/zap-scan.yml @@ -0,0 +1,31 @@ +name: "owasp-scan" + +on: + push: + branches: [githubcicd] + +jobs: + test: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [16.x] + + steps: + - uses: actions/checkout@v2 + + - name: Change script permission + run: | + chmod +x scripts/zap-script.sh + + - name: ZAP scan + run: scripts/zap-script.sh + + - name: Archive production artifacts + uses: actions/upload-artifact@v2 + with: + name: zap report + path: | + ./zap_baseline_report.html + diff --git a/github/workflows/build.yml b/github/workflows/build.yml deleted file mode 100644 index 4b86e6eba..000000000 --- a/github/workflows/build.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Bitcoin order App -on: - push: - branches: - - githubcicd -jobs: - ci: - runs-on: ubuntu-latest - - strategy: - matrix: - node-version: [16.x] - - steps: - - uses: actions/checkout@v2 - - uses: browser-actions/setup-chrome@latest - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node-version }} - - - name: Cache node modules - id: cache-nodemodules - uses: actions/cache@v2 - env: - cache-name: cache-node-modules - with: - # caching node_modules - path: node_modules - key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-build-${{ env.cache-name }}- - ${{ runner.os }}-build- - ${{ runner.os }}- - - name: Install Dependencies - if: steps.cache-nodemodules.outputs.cache-hit != 'true' - run: | - npm ci --force - - name: Build - run: | - npm run build --force - - name: Lint - run: | - npm run lint - - name: Update types to latest - run: | - npm install --save-dev @types/node@latest --force - #- name: Test - # run: | - # npm run test --watch=false --browsers=ChromeHeadless - - name: Conventional Changelog Action - id: changelog - uses: TriPSs/conventional-changelog-action@v3 - with: - github-token: ${{ secrets.WORKSHOP6_GITHUB_TOKEN }} - output-file: "false" - - - name: Create Release - uses: actions/create-release@v1 - if: ${{ steps.changelog.outputs.skipped == 'false' }} - env: - GITHUB_TOKEN: ${{ secrets.WORKSHOP6_GITHUB_TOKEN }} - with: - tag_name: ${{ steps.changelog.outputs.tag }} - release_name: ${{ steps.changelog.outputs.tag }} - body: ${{ steps.changelog.outputs.clean_changelog }} - - name: Deploy - run: | - npm run deploy diff --git a/scripts/jshint-script.sh b/scripts/jshint-script.sh new file mode 100644 index 000000000..d30748654 --- /dev/null +++ b/scripts/jshint-script.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +jshint --exclude="node_modules/" --reporter=unix . > JSHint-report + +echo $? > /dev/null \ No newline at end of file diff --git a/scripts/zap-script.sh b/scripts/zap-script.sh new file mode 100644 index 000000000..12208d6a6 --- /dev/null +++ b/scripts/zap-script.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +docker pull owasp/zap2docker-stable +docker run -i owasp/zap2docker-stable zap-baseline.py -t "https://kenken64.github.io/bitcoin-order-app/" -l PASS > zap_baseline_report.html + +echo $? > /dev/null \ No newline at end of file