dearsky/wifi-densepose
1
0
Fork 0
Code Issues 20 Pull Requests 5 Actions Packages Projects Releases 1 Wiki Activity

updates

Browse Source
This commit is contained in:
rUv
2025-06-07 11:44:19 +00:00
parent 43e92c5494
commit c378b705ca
95 changed files with 43677 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

347
.github/workflows/cd.yml vendored Normal file
View File

@@ -0,0 +1,347 @@
name: Continuous Deployment
on:
push:
branches: [ main ]
tags: [ 'v*' ]
workflow_run:
workflows: ["Continuous Integration"]
types:
- completed
branches: [ main ]
workflow_dispatch:
inputs:
environment:
description: 'Deployment environment'
required: true
default: 'staging'
type: choice
options:
- staging
- production
force_deploy:
description: 'Force deployment (skip checks)'
required: false
default: false
type: boolean
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_DATA }}
jobs:
# Pre-deployment checks
pre-deployment:
name: Pre-deployment Checks
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch'
outputs:
deploy_env: ${{ steps.determine-env.outputs.environment }}
image_tag: ${{ steps.determine-tag.outputs.tag }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Determine deployment environment
id: determine-env
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_OUTPUT
elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
echo "environment=staging" >> $GITHUB_OUTPUT
elif [[ "${{ github.ref }}" == refs/tags/v* ]]; then
echo "environment=production" >> $GITHUB_OUTPUT
else
echo "environment=staging" >> $GITHUB_OUTPUT
fi
- name: Determine image tag
id: determine-tag
run: |
if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
else
echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT
fi
- name: Verify image exists
run: |
docker manifest inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.determine-tag.outputs.tag }}
# Deploy to staging
deploy-staging:
name: Deploy to Staging
runs-on: ubuntu-latest
needs: [pre-deployment]
if: needs.pre-deployment.outputs.deploy_env == 'staging'
environment:
name: staging
url: https://staging.wifi-densepose.com
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up kubectl
uses: azure/setup-kubectl@v3
with:
version: 'v1.28.0'
- name: Configure kubectl
run: |
echo "${{ secrets.KUBE_CONFIG_DATA_STAGING }}" | base64 -d > kubeconfig
export KUBECONFIG=kubeconfig
- name: Deploy to staging namespace
run: |
export KUBECONFIG=kubeconfig
# Update image tag in deployment
kubectl set image deployment/wifi-densepose wifi-densepose=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.pre-deployment.outputs.image_tag }} -n wifi-densepose-staging
# Wait for rollout to complete
kubectl rollout status deployment/wifi-densepose -n wifi-densepose-staging --timeout=600s
# Verify deployment
kubectl get pods -n wifi-densepose-staging -l app=wifi-densepose
- name: Run smoke tests
run: |
sleep 30
curl -f https://staging.wifi-densepose.com/health || exit 1
curl -f https://staging.wifi-densepose.com/api/v1/info || exit 1
- name: Run integration tests against staging
run: |
python -m pytest tests/integration/ --base-url=https://staging.wifi-densepose.com -v
# Deploy to production
deploy-production:
name: Deploy to Production
runs-on: ubuntu-latest
needs: [pre-deployment, deploy-staging]
if: needs.pre-deployment.outputs.deploy_env == 'production' || (github.ref == 'refs/tags/v*' && needs.deploy-staging.result == 'success')
environment:
name: production
url: https://wifi-densepose.com
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up kubectl
uses: azure/setup-kubectl@v3
with:
version: 'v1.28.0'
- name: Configure kubectl
run: |
echo "${{ secrets.KUBE_CONFIG_DATA_PRODUCTION }}" | base64 -d > kubeconfig
export KUBECONFIG=kubeconfig
- name: Pre-deployment backup
run: |
export KUBECONFIG=kubeconfig
# Backup current deployment
kubectl get deployment wifi-densepose -n wifi-densepose -o yaml > backup-deployment.yaml
# Backup database
kubectl exec -n wifi-densepose deployment/postgres -- pg_dump -U wifi_user wifi_densepose > backup-db.sql
- name: Blue-Green Deployment
run: |
export KUBECONFIG=kubeconfig
# Create green deployment
kubectl patch deployment wifi-densepose -n wifi-densepose -p '{"spec":{"template":{"metadata":{"labels":{"version":"green"}}}}}'
kubectl set image deployment/wifi-densepose wifi-densepose=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.pre-deployment.outputs.image_tag }} -n wifi-densepose
# Wait for green deployment to be ready
kubectl rollout status deployment/wifi-densepose -n wifi-densepose --timeout=600s
# Verify green deployment health
kubectl wait --for=condition=ready pod -l app=wifi-densepose,version=green -n wifi-densepose --timeout=300s
- name: Traffic switching validation
run: |
export KUBECONFIG=kubeconfig
# Get green pod IP for direct testing
GREEN_POD=$(kubectl get pods -n wifi-densepose -l app=wifi-densepose,version=green -o jsonpath='{.items[0].metadata.name}')
# Test green deployment directly
kubectl exec -n wifi-densepose $GREEN_POD -- curl -f http://localhost:8000/health
kubectl exec -n wifi-densepose $GREEN_POD -- curl -f http://localhost:8000/api/v1/info
- name: Switch traffic to green
run: |
export KUBECONFIG=kubeconfig
# Update service selector to point to green
kubectl patch service wifi-densepose-service -n wifi-densepose -p '{"spec":{"selector":{"version":"green"}}}'
# Wait for traffic switch
sleep 30
- name: Production smoke tests
run: |
curl -f https://wifi-densepose.com/health || exit 1
curl -f https://wifi-densepose.com/api/v1/info || exit 1
- name: Cleanup old deployment
run: |
export KUBECONFIG=kubeconfig
# Remove blue version label from old pods
kubectl label pods -n wifi-densepose -l app=wifi-densepose,version!=green version-
# Scale down old replica set (optional)
# kubectl scale rs -n wifi-densepose -l app=wifi-densepose,version!=green --replicas=0
- name: Upload deployment artifacts
uses: actions/upload-artifact@v3
with:
name: production-deployment-${{ github.run_number }}
path: |
backup-deployment.yaml
backup-db.sql
# Rollback capability
rollback:
name: Rollback Deployment
runs-on: ubuntu-latest
if: failure() && (needs.deploy-staging.result == 'failure' || needs.deploy-production.result == 'failure')
needs: [pre-deployment, deploy-staging, deploy-production]
environment:
name: ${{ needs.pre-deployment.outputs.deploy_env }}
steps:
- name: Set up kubectl
uses: azure/setup-kubectl@v3
with:
version: 'v1.28.0'
- name: Configure kubectl
run: |
if [[ "${{ needs.pre-deployment.outputs.deploy_env }}" == "production" ]]; then
echo "${{ secrets.KUBE_CONFIG_DATA_PRODUCTION }}" | base64 -d > kubeconfig
NAMESPACE="wifi-densepose"
else
echo "${{ secrets.KUBE_CONFIG_DATA_STAGING }}" | base64 -d > kubeconfig
NAMESPACE="wifi-densepose-staging"
fi
export KUBECONFIG=kubeconfig
echo "NAMESPACE=$NAMESPACE" >> $GITHUB_ENV
- name: Rollback deployment
run: |
export KUBECONFIG=kubeconfig
# Rollback to previous version
kubectl rollout undo deployment/wifi-densepose -n ${{ env.NAMESPACE }}
# Wait for rollback to complete
kubectl rollout status deployment/wifi-densepose -n ${{ env.NAMESPACE }} --timeout=600s
# Verify rollback
kubectl get pods -n ${{ env.NAMESPACE }} -l app=wifi-densepose
# Post-deployment monitoring
post-deployment:
name: Post-deployment Monitoring
runs-on: ubuntu-latest
needs: [deploy-staging, deploy-production]
if: always() && (needs.deploy-staging.result == 'success' || needs.deploy-production.result == 'success')
steps:
- name: Monitor deployment health
run: |
ENV="${{ needs.pre-deployment.outputs.deploy_env }}"
if [[ "$ENV" == "production" ]]; then
BASE_URL="https://wifi-densepose.com"
else
BASE_URL="https://staging.wifi-densepose.com"
fi
# Monitor for 5 minutes
for i in {1..10}; do
echo "Health check $i/10"
curl -f $BASE_URL/health || exit 1
curl -f $BASE_URL/api/v1/status || exit 1
sleep 30
done
- name: Update deployment status
uses: actions/github-script@v6
with:
script: |
const deployEnv = '${{ needs.pre-deployment.outputs.deploy_env }}';
const environmentUrl = deployEnv === 'production' ? 'https://wifi-densepose.com' : 'https://staging.wifi-densepose.com';
const { data: deployment } = await github.rest.repos.createDeploymentStatus({
owner: context.repo.owner,
repo: context.repo.repo,
deployment_id: context.payload.deployment.id,
state: 'success',
environment_url: environmentUrl,
description: 'Deployment completed successfully'
});
# Notification
notify:
name: Notify Deployment Status
runs-on: ubuntu-latest
needs: [deploy-staging, deploy-production, post-deployment]
if: always()
steps:
- name: Notify Slack on success
if: needs.deploy-production.result == 'success' || needs.deploy-staging.result == 'success'
uses: 8398a7/action-slack@v3
with:
status: success
channel: '#deployments'
text: |
🚀 Deployment successful!
Environment: ${{ needs.pre-deployment.outputs.deploy_env }}
Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.pre-deployment.outputs.image_tag }}
URL: https://${{ needs.pre-deployment.outputs.deploy_env == 'production' && 'wifi-densepose.com' || 'staging.wifi-densepose.com' }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Notify Slack on failure
if: needs.deploy-production.result == 'failure' || needs.deploy-staging.result == 'failure'
uses: 8398a7/action-slack@v3
with:
status: failure
channel: '#deployments'
text: |
❌ Deployment failed!
Environment: ${{ needs.pre-deployment.outputs.deploy_env }}
Please check the logs and consider rollback if necessary.
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Create deployment issue on failure
if: needs.deploy-production.result == 'failure'
uses: actions/github-script@v6
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Production Deployment Failed - ${new Date().toISOString()}`,
body: `
## Deployment Failure Report
**Environment:** Production
**Image Tag:** ${{ needs.pre-deployment.outputs.image_tag }}
**Workflow Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
**Action Required:**
- [ ] Investigate deployment failure
- [ ] Consider rollback if necessary
- [ ] Fix underlying issues
- [ ] Re-deploy when ready
**Logs:** Check the workflow run for detailed error messages.
`,
labels: ['deployment', 'production', 'urgent']
})

325
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,325 @@
name: Continuous Integration
on:
push:
branches: [ main, develop, 'feature/*', 'hotfix/*' ]
pull_request:
branches: [ main, develop ]
workflow_dispatch:
env:
PYTHON_VERSION: '3.11'
NODE_VERSION: '18'
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
# Code Quality and Security Checks
code-quality:
name: Code Quality & Security
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install black flake8 mypy bandit safety
- name: Code formatting check (Black)
run: black --check --diff src/ tests/
- name: Linting (Flake8)
run: flake8 src/ tests/ --max-line-length=88 --extend-ignore=E203,W503
- name: Type checking (MyPy)
run: mypy src/ --ignore-missing-imports
- name: Security scan (Bandit)
run: bandit -r src/ -f json -o bandit-report.json
continue-on-error: true
- name: Dependency vulnerability scan (Safety)
run: safety check --json --output safety-report.json
continue-on-error: true
- name: Upload security reports
uses: actions/upload-artifact@v3
if: always()
with:
name: security-reports
path: |
bandit-report.json
safety-report.json
# Unit and Integration Tests
test:
name: Tests
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.10', '3.11', '3.12']
services:
postgres:
image: postgres:15
env:
POSTGRES_PASSWORD: postgres
POSTGRES_DB: test_wifi_densepose
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
redis:
image: redis:7
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 6379:6379
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install pytest-cov pytest-xdist
- name: Run unit tests
env:
DATABASE_URL: postgresql://postgres:postgres@localhost:5432/test_wifi_densepose
REDIS_URL: redis://localhost:6379/0
ENVIRONMENT: test
run: |
pytest tests/unit/ -v --cov=src --cov-report=xml --cov-report=html --junitxml=junit.xml
- name: Run integration tests
env:
DATABASE_URL: postgresql://postgres:postgres@localhost:5432/test_wifi_densepose
REDIS_URL: redis://localhost:6379/0
ENVIRONMENT: test
run: |
pytest tests/integration/ -v --junitxml=integration-junit.xml
- name: Upload coverage reports
uses: codecov/codecov-action@v3
with:
file: ./coverage.xml
flags: unittests
name: codecov-umbrella
- name: Upload test results
uses: actions/upload-artifact@v3
if: always()
with:
name: test-results-${{ matrix.python-version }}
path: |
junit.xml
integration-junit.xml
htmlcov/
# Performance and Load Tests
performance-test:
name: Performance Tests
runs-on: ubuntu-latest
needs: [test]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install locust
- name: Start application
run: |
uvicorn src.api.main:app --host 0.0.0.0 --port 8000 &
sleep 10
- name: Run performance tests
run: |
locust -f tests/performance/locustfile.py --headless --users 50 --spawn-rate 5 --run-time 60s --host http://localhost:8000
- name: Upload performance results
uses: actions/upload-artifact@v3
with:
name: performance-results
path: locust_report.html
# Docker Build and Test
docker-build:
name: Docker Build & Test
runs-on: ubuntu-latest
needs: [code-quality, test]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,prefix={{branch}}-
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
target: production
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64
- name: Test Docker image
run: |
docker run --rm -d --name test-container -p 8000:8000 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
sleep 10
curl -f http://localhost:8000/health || exit 1
docker stop test-container
- name: Run container security scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
# API Documentation
docs:
name: API Documentation
runs-on: ubuntu-latest
needs: [docker-build]
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Generate OpenAPI spec
run: |
python -c "
from src.api.main import app
import json
with open('openapi.json', 'w') as f:
json.dump(app.openapi(), f, indent=2)
"
- name: Deploy to GitHub Pages
uses: peaceiris/actions-gh-pages@v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs
destination_dir: api-docs
# Notification
notify:
name: Notify
runs-on: ubuntu-latest
needs: [code-quality, test, performance-test, docker-build, docs]
if: always()
steps:
- name: Notify Slack on success
if: ${{ needs.code-quality.result == 'success' && needs.test.result == 'success' && needs.docker-build.result == 'success' }}
uses: 8398a7/action-slack@v3
with:
status: success
channel: '#ci-cd'
text: '✅ CI pipeline completed successfully for ${{ github.ref }}'
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Notify Slack on failure
if: ${{ needs.code-quality.result == 'failure' || needs.test.result == 'failure' || needs.docker-build.result == 'failure' }}
uses: 8398a7/action-slack@v3
with:
status: failure
channel: '#ci-cd'
text: '❌ CI pipeline failed for ${{ github.ref }}'
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Create GitHub Release
if: github.ref == 'refs/heads/main' && needs.docker-build.result == 'success'
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: v${{ github.run_number }}
release_name: Release v${{ github.run_number }}
body: |
Automated release from CI pipeline
**Changes:**
${{ github.event.head_commit.message }}
**Docker Image:**
`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}`
draft: false
prerelease: false

446
.github/workflows/security-scan.yml vendored Normal file
View File

@@ -0,0 +1,446 @@
name: Security Scanning
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
# Run security scans daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch:
env:
PYTHON_VERSION: '3.11'
jobs:
# Static Application Security Testing (SAST)
sast:
name: Static Application Security Testing
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install bandit semgrep safety
- name: Run Bandit security scan
run: |
bandit -r src/ -f sarif -o bandit-results.sarif
continue-on-error: true
- name: Upload Bandit results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: bandit-results.sarif
category: bandit
- name: Run Semgrep security scan
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/secrets
p/python
p/docker
p/kubernetes
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
- name: Generate Semgrep SARIF
run: |
semgrep --config=p/security-audit --config=p/secrets --config=p/python --sarif --output=semgrep.sarif src/
continue-on-error: true
- name: Upload Semgrep results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: semgrep.sarif
category: semgrep
# Dependency vulnerability scanning
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install safety pip-audit
- name: Run Safety check
run: |
safety check --json --output safety-report.json
continue-on-error: true
- name: Run pip-audit
run: |
pip-audit --format=json --output=pip-audit-report.json
continue-on-error: true
- name: Run Snyk vulnerability scan
uses: snyk/actions/python@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk-results.sarif
continue-on-error: true
- name: Upload Snyk results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: snyk-results.sarif
category: snyk
- name: Upload vulnerability reports
uses: actions/upload-artifact@v3
if: always()
with:
name: vulnerability-reports
path: |
safety-report.json
pip-audit-report.json
snyk-results.sarif
# Container security scanning
container-scan:
name: Container Security Scan
runs-on: ubuntu-latest
needs: []
if: github.event_name == 'push' || github.event_name == 'schedule'
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image for scanning
uses: docker/build-push-action@v5
with:
context: .
target: production
load: true
tags: wifi-densepose:scan
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'wifi-densepose:scan'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
category: trivy
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@v3
id: grype-scan
with:
image: 'wifi-densepose:scan'
fail-build: false
severity-cutoff: high
output-format: sarif
- name: Upload Grype results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
category: grype
- name: Run Docker Scout
uses: docker/scout-action@v1
if: always()
with:
command: cves
image: wifi-densepose:scan
sarif-file: scout-results.sarif
summary: true
- name: Upload Docker Scout results
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: scout-results.sarif
category: docker-scout
# Infrastructure as Code security scanning
iac-scan:
name: Infrastructure Security Scan
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov IaC scan
uses: bridgecrewio/checkov-action@master
with:
directory: .
framework: kubernetes,dockerfile,terraform,ansible
output_format: sarif
output_file_path: checkov-results.sarif
quiet: true
soft_fail: true
- name: Upload Checkov results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: checkov-results.sarif
category: checkov
- name: Run Terrascan IaC scan
uses: tenable/terrascan-action@main
with:
iac_type: 'k8s'
iac_version: 'v1'
policy_type: 'k8s'
only_warn: true
sarif_upload: true
- name: Run KICS IaC scan
uses: checkmarx/kics-github-action@master
with:
path: '.'
output_path: kics-results
output_formats: 'sarif'
exclude_paths: '.git,node_modules'
exclude_queries: 'a7ef1e8c-fbf8-4ac1-b8c7-2c3b0e6c6c6c'
- name: Upload KICS results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: kics-results/results.sarif
category: kics
# Secret scanning
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run TruffleHog secret scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
extra_args: --debug --only-verified
- name: Run GitLeaks secret scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
- name: Run detect-secrets
run: |
pip install detect-secrets
detect-secrets scan --all-files --baseline .secrets.baseline
detect-secrets audit .secrets.baseline
continue-on-error: true
# License compliance scanning
license-scan:
name: License Compliance Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install pip-licenses licensecheck
- name: Run license check
run: |
pip-licenses --format=json --output-file=licenses.json
licensecheck --zero
- name: Upload license report
uses: actions/upload-artifact@v3
with:
name: license-report
path: licenses.json
# Security policy compliance
compliance-check:
name: Security Policy Compliance
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Check security policy files
run: |
# Check for required security files
files=("SECURITY.md" ".github/SECURITY.md" "docs/SECURITY.md")
found=false
for file in "${files[@]}"; do
if [[ -f "$file" ]]; then
echo "✅ Found security policy: $file"
found=true
break
fi
done
if [[ "$found" == false ]]; then
echo "❌ No security policy found. Please create SECURITY.md"
exit 1
fi
- name: Check for security headers in code
run: |
# Check for security-related configurations
grep -r "X-Frame-Options\|X-Content-Type-Options\|X-XSS-Protection\|Content-Security-Policy" src/ || echo "⚠️ Consider adding security headers"
- name: Validate Kubernetes security contexts
run: |
# Check for security contexts in Kubernetes manifests
if find k8s/ -name "*.yaml" -exec grep -l "securityContext" {} \; | wc -l | grep -q "^0$"; then
echo "❌ No security contexts found in Kubernetes manifests"
exit 1
else
echo "✅ Security contexts found in Kubernetes manifests"
fi
# Notification and reporting
security-report:
name: Security Report
runs-on: ubuntu-latest
needs: [sast, dependency-scan, container-scan, iac-scan, secret-scan, license-scan, compliance-check]
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@v3
- name: Generate security summary
run: |
echo "# Security Scan Summary" > security-summary.md
echo "" >> security-summary.md
echo "## Scan Results" >> security-summary.md
echo "- SAST: ${{ needs.sast.result }}" >> security-summary.md
echo "- Dependency Scan: ${{ needs.dependency-scan.result }}" >> security-summary.md
echo "- Container Scan: ${{ needs.container-scan.result }}" >> security-summary.md
echo "- IaC Scan: ${{ needs.iac-scan.result }}" >> security-summary.md
echo "- Secret Scan: ${{ needs.secret-scan.result }}" >> security-summary.md
echo "- License Scan: ${{ needs.license-scan.result }}" >> security-summary.md
echo "- Compliance Check: ${{ needs.compliance-check.result }}" >> security-summary.md
echo "" >> security-summary.md
echo "Generated on: $(date)" >> security-summary.md
- name: Upload security summary
uses: actions/upload-artifact@v3
with:
name: security-summary
path: security-summary.md
- name: Notify security team on critical findings
if: needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure' || needs.container-scan.result == 'failure'
uses: 8398a7/action-slack@v3
with:
status: failure
channel: '#security'
text: |
🚨 Critical security findings detected!
Repository: ${{ github.repository }}
Branch: ${{ github.ref }}
Workflow: ${{ github.workflow }}
Please review the security scan results immediately.
env:
SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
- name: Create security issue on critical findings
if: needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure'
uses: actions/github-script@v6
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Security Scan Failures - ${new Date().toISOString()}`,
body: `
## Security Scan Failures Detected
**Workflow Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
**Branch:** ${{ github.ref }}
**Failed Scans:**
- SAST: ${{ needs.sast.result }}
- Dependency Scan: ${{ needs.dependency-scan.result }}
- Container Scan: ${{ needs.container-scan.result }}
**Action Required:**
- [ ] Review security scan results
- [ ] Address critical vulnerabilities
- [ ] Update dependencies if needed
- [ ] Re-run security scans
**Security Dashboard:** Check the Security tab for detailed findings.
`,
labels: ['security', 'vulnerability', 'urgent']
})