From 09fb8f9c9d8ff1377b2dd5487fe7085caadfafdd Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 14 Dec 2025 21:10:15 +1100 Subject: [PATCH 1/7] Review security, andd security scan --- .dockerignore | 25 ++++ .github/workflows/security-scan.yml | 170 ++++++++++++++++++++++++++++ 2 files changed, 195 insertions(+) create mode 100644 .dockerignore create mode 100644 .github/workflows/security-scan.yml diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..21fb0d1 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,25 @@ +# Secrets and credentials +.env +.env.* +*.pem +*.key +*credentials* +*secret* +.aws/ +.ssh/ + +# Git (may contain secrets in history) +.git + +# IDE configs (may contain tokens) +.idea/ +.vscode/ +.settings/ +.gradle/ +.claude + +# Local development +docker-compose*.yml + +logs/ +docs/ \ No newline at end of file diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..988a9cf --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,170 @@ +name: Security Scan + +on: + workflow_run: + workflows: ["CI"] + types: + - completed + branches: [main] + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} + cancel-in-progress: true + +jobs: + trivy-repo-scan: + name: Repository Scan + runs-on: ubuntu-latest + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} + + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} + + - name: Run Trivy repo scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'repo' + scan-ref: '.' + format: 'sarif' + output: 'trivy-repo-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + ignore-unfixed: true + + - name: Upload repo scan results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-repo-results.sarif' + category: 'trivy-repo' + + - name: Run Trivy repo scan (table output) + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'repo' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH,MEDIUM' + ignore-unfixed: true + + trivy-config-scan: + name: IaC Config Scan + runs-on: ubuntu-latest + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} + + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} + + - name: Run Trivy config scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'config' + scan-ref: '.' + format: 'sarif' + output: 'trivy-config-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + + - name: Upload config scan results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-config-results.sarif' + category: 'trivy-config' + + - name: Run Trivy config scan (table output) + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'config' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH,MEDIUM' + + trivy-image-scan: + name: Docker Image Scan + runs-on: ubuntu-latest + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} + + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + uses: docker/build-push-action@v6 + with: + context: . + push: false + load: true + tags: user-service:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Run Trivy image scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + image-ref: 'user-service:${{ github.sha }}' + format: 'sarif' + output: 'trivy-image-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + ignore-unfixed: true + + - name: Upload image scan results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-image-results.sarif' + category: 'trivy-image' + + - name: Run Trivy image scan (table output) + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + image-ref: 'user-service:${{ github.sha }}' + format: 'table' + severity: 'CRITICAL,HIGH,MEDIUM' + ignore-unfixed: true + + security-gate: + name: Security Gate + runs-on: ubuntu-latest + needs: [trivy-repo-scan, trivy-config-scan, trivy-image-scan] + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} + + - name: Fail on CRITICAL vulnerabilities + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'repo' + scan-ref: '.' + format: 'table' + exit-code: '1' + severity: 'CRITICAL' + ignore-unfixed: true From 70d9053d133caa61941a57f498f20b444b607e99 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 14 Dec 2025 21:17:56 +1100 Subject: [PATCH 2/7] Update trivy scan config --- .github/workflows/security-scan.yml | 127 +++------------------------- 1 file changed, 11 insertions(+), 116 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 988a9cf..6d5824a 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -2,10 +2,10 @@ name: Security Scan on: workflow_run: - workflows: ["CI"] + workflows: [ "CI" ] types: - completed - branches: [main] + branches: [ main ] workflow_dispatch: concurrency: @@ -13,7 +13,7 @@ concurrency: cancel-in-progress: true jobs: - trivy-repo-scan: + trivy-scan: name: Repository Scan runs-on: ubuntu-latest if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} @@ -24,92 +24,26 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ github.event.workflow_run.head_sha || github.sha }} - - name: Run Trivy repo scan - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'repo' - scan-ref: '.' - format: 'sarif' - output: 'trivy-repo-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' - ignore-unfixed: true - - - name: Upload repo scan results - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-repo-results.sarif' - category: 'trivy-repo' - - name: Run Trivy repo scan (table output) - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'repo' scan-ref: '.' format: 'table' - severity: 'CRITICAL,HIGH,MEDIUM' + severity: 'CRITICAL,HIGH' ignore-unfixed: true - trivy-config-scan: - name: IaC Config Scan - runs-on: ubuntu-latest - if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} - - permissions: - contents: read - security-events: write - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.workflow_run.head_sha || github.sha }} - - - name: Run Trivy config scan - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'config' - scan-ref: '.' - format: 'sarif' - output: 'trivy-config-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' - - - name: Upload config scan results - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-config-results.sarif' - category: 'trivy-config' - - name: Run Trivy config scan (table output) - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'config' scan-ref: '.' format: 'table' - severity: 'CRITICAL,HIGH,MEDIUM' - - trivy-image-scan: - name: Docker Image Scan - runs-on: ubuntu-latest - if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} - - permissions: - contents: read - security-events: write - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.workflow_run.head_sha || github.sha }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + severity: 'CRITICAL,HIGH' - name: Build Docker image uses: docker/build-push-action@v6 @@ -121,50 +55,11 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - - name: Run Trivy image scan - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'image' - image-ref: 'user-service:${{ github.sha }}' - format: 'sarif' - output: 'trivy-image-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' - ignore-unfixed: true - - - name: Upload image scan results - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-image-results.sarif' - category: 'trivy-image' - - name: Run Trivy image scan (table output) - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'image' image-ref: 'user-service:${{ github.sha }}' format: 'table' - severity: 'CRITICAL,HIGH,MEDIUM' - ignore-unfixed: true - - security-gate: - name: Security Gate - runs-on: ubuntu-latest - needs: [trivy-repo-scan, trivy-config-scan, trivy-image-scan] - if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.workflow_run.head_sha || github.sha }} - - - name: Fail on CRITICAL vulnerabilities - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'repo' - scan-ref: '.' - format: 'table' - exit-code: '1' - severity: 'CRITICAL' - ignore-unfixed: true + severity: 'CRITICAL,HIGH' + ignore-unfixed: true \ No newline at end of file From 3b1a4680183eaf6db2c1e755500d0ea93ebd9f4a Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 14 Dec 2025 21:23:46 +1100 Subject: [PATCH 3/7] Update security scan pipeline to run also on pr request --- .github/workflows/security-scan.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 6d5824a..fe905cc 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -5,7 +5,6 @@ on: workflows: [ "CI" ] types: - completed - branches: [ main ] workflow_dispatch: concurrency: From e230a3a650b474bee9983085b1be443bb6211fd7 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 14 Dec 2025 21:44:09 +1100 Subject: [PATCH 4/7] Move security scan job to ci so that PR can run too --- .github/workflows/ci.yml | 47 +++++++++++++++++++++ .github/workflows/security-scan.yml | 64 ----------------------------- 2 files changed, 47 insertions(+), 64 deletions(-) delete mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e111cce..5d06446 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -111,4 +111,51 @@ jobs: min-coverage-overall: 80 min-coverage-changed-files: 80 + security-scan: + name: Security Scan + runs-on: ubuntu-latest + needs: build + + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Run Trivy repo scan + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'repo' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + + - name: Run Trivy config scan + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'config' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + - name: Build Docker image + uses: docker/build-push-action@v6 + with: + context: . + push: false + load: true + tags: user-service:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Run Trivy image scan + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'image' + image-ref: 'user-service:${{ github.sha }}' + format: 'table' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml deleted file mode 100644 index fe905cc..0000000 --- a/.github/workflows/security-scan.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Security Scan - -on: - workflow_run: - workflows: [ "CI" ] - types: - - completed - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} - cancel-in-progress: true - -jobs: - trivy-scan: - name: Repository Scan - runs-on: ubuntu-latest - if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} - - permissions: - contents: read - security-events: write - - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - ref: ${{ github.event.workflow_run.head_sha || github.sha }} - - - name: Run Trivy repo scan (table output) - uses: aquasecurity/trivy-action@0.33.1 - with: - scan-type: 'repo' - scan-ref: '.' - format: 'table' - severity: 'CRITICAL,HIGH' - ignore-unfixed: true - - - name: Run Trivy config scan (table output) - uses: aquasecurity/trivy-action@0.33.1 - with: - scan-type: 'config' - scan-ref: '.' - format: 'table' - severity: 'CRITICAL,HIGH' - - - name: Build Docker image - uses: docker/build-push-action@v6 - with: - context: . - push: false - load: true - tags: user-service:${{ github.sha }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Run Trivy image scan (table output) - uses: aquasecurity/trivy-action@0.33.1 - with: - scan-type: 'image' - image-ref: 'user-service:${{ github.sha }}' - format: 'table' - severity: 'CRITICAL,HIGH' - ignore-unfixed: true \ No newline at end of file From fb5fd4fa4d5c4a6647a3d0a16ff4fd971c673def Mon Sep 17 00:00:00 2001 From: Daniel Date: Mon, 15 Dec 2025 09:56:43 +1100 Subject: [PATCH 5/7] Fix docker image build issue --- .github/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5d06446..b449b46 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -141,9 +141,16 @@ jobs: format: 'table' severity: 'CRITICAL,HIGH' + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + with: + driver: docker-container + - name: Build Docker image uses: docker/build-push-action@v6 with: + builder: : ${{ steps.buildx.outputs.nameb}} context: . push: false load: true From 56fcf40ba70359934d1459aff31e801b8c7001cf Mon Sep 17 00:00:00 2001 From: Daniel Date: Mon, 15 Dec 2025 09:57:55 +1100 Subject: [PATCH 6/7] Fix typo --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b449b46..2236609 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -150,7 +150,7 @@ jobs: - name: Build Docker image uses: docker/build-push-action@v6 with: - builder: : ${{ steps.buildx.outputs.nameb}} + builder: : ${{ steps.buildx.outputs.name }} context: . push: false load: true From 97944ae6dfd9460c5d2edcd31c1649e9f2c46c98 Mon Sep 17 00:00:00 2001 From: Daniel Date: Mon, 15 Dec 2025 10:01:10 +1100 Subject: [PATCH 7/7] Fix syntax --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2236609..655ff1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -150,7 +150,7 @@ jobs: - name: Build Docker image uses: docker/build-push-action@v6 with: - builder: : ${{ steps.buildx.outputs.name }} + builder: ${{ steps.buildx.outputs.name }} context: . push: false load: true