pm
c62b6321d7
DevSecOps Enterprise Pipeline / security-gate-and-deploy (push) Successful in 1m1s
deploy updated
143 lines
5.9 KiB
YAML
143 lines
5.9 KiB
YAML
name: "DevSecOps Enterprise Pipeline"
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
|
|
jobs:
|
|
security-gate-and-deploy:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
# ==========================================
|
|
# STAGE 1: STATIC SECURITY TESTING (SAST, SCA)
|
|
# ==========================================
|
|
|
|
# 1.1. Secret Scanning: Detect hardcoded secrets and credentials
|
|
- name: Gitleaks Scan
|
|
run: |
|
|
curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
|
|
/tmp/gitleaks protect --source . --verbose --redact --staged --exit-code 1
|
|
|
|
# 1.2. Software Composition Analysis (SCA): Check for infrastructure vulnerabilities
|
|
- name: Scan Docker Image Vulnerabilities (Trivy)
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
trivy image --severity HIGH,CRITICAL nginx:alpine
|
|
|
|
# 1.3. Static Application Security Testing (SAST): Source code quality and security
|
|
- name: SonarQube Analysis
|
|
run: |
|
|
curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
|
|
unzip -q sonar-scanner.zip
|
|
./sonar-scanner-5.0.1.3006-linux/bin/sonar-scanner \
|
|
-Dsonar.projectKey=website-test \
|
|
-Dsonar.sources=. \
|
|
-Dsonar.host.url=http://51.89.40.2:9000 \
|
|
-Dsonar.token=${{ secrets.SONAR_TOKEN }} \
|
|
-Dsonar.qualitygate.wait=true
|
|
|
|
# ==========================================
|
|
# STAGE 2: DYNAMIC TEST ENVIRONMENT
|
|
# ==========================================
|
|
|
|
- name: Provision Ephemeral Sandbox
|
|
run: |
|
|
# Remove any residual sandbox containers
|
|
docker rm -f website-test-sandbox || true
|
|
|
|
# Deploy sandbox. Using Docker internal network prevents external exposure.
|
|
docker run -d --name website-test-sandbox nginx:alpine
|
|
|
|
# Copy the current codebase to the sandbox container
|
|
docker cp index.html website-test-sandbox:/usr/share/nginx/html/index.html
|
|
|
|
# Allow Nginx service to initialize
|
|
sleep 5
|
|
|
|
# ==========================================
|
|
# STAGE 3: DYNAMIC APPLICATION SECURITY TESTING
|
|
# ==========================================
|
|
|
|
- name: OWASP ZAP Baseline Scan
|
|
run: |
|
|
# Initialize test report directory
|
|
mkdir -p qatests
|
|
|
|
# PREVENTIVE CLEANUP: Ensure no leftover containers or volumes exist
|
|
docker rm -f zap-scanner || true
|
|
docker volume rm zap-reports || true
|
|
|
|
# Create a managed Docker volume to prevent host/runner path conflicts
|
|
docker volume create zap-reports
|
|
|
|
# Execute ZAP scan mounting the managed volume.
|
|
# The '-I' flag ensures the pipeline doesn't fail on warnings.
|
|
docker run --user root --name zap-scanner \
|
|
--link website-test-sandbox:website-test-sandbox \
|
|
-v zap-reports:/zap/wrk/:rw \
|
|
-t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
|
|
-t http://website-test-sandbox \
|
|
-r report.html \
|
|
-I || true
|
|
|
|
# Extract the HTML report from the ZAP container to the runner workspace
|
|
docker cp zap-scanner:/zap/wrk/report.html qatests/report.html
|
|
|
|
# Teardown ZAP container and volume to free up resources
|
|
docker rm -f zap-scanner || true
|
|
docker volume rm zap-reports || true
|
|
|
|
# Ensure sandbox is destroyed even if previous DAST steps fail
|
|
- name: Teardown Ephemeral Sandbox
|
|
if: always()
|
|
run: |
|
|
docker rm -f website-test-sandbox || true
|
|
|
|
# ==========================================
|
|
# STAGE 4: PRODUCTION DEPLOYMENT
|
|
# ==========================================
|
|
|
|
- name: Hardened Production Deployment
|
|
run: |
|
|
# Create a backup of the current production state
|
|
docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
|
|
|
|
# Clear the production directory and deploy the approved artifact
|
|
docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
|
|
docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
|
|
|
|
# Apply strict file system permissions (Hardening)
|
|
docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
|
|
docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
|
|
|
|
# Healthcheck: Verify local response from the production container
|
|
docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1
|
|
|
|
# ==========================================
|
|
# STAGE 5: ARTIFACT MANAGEMENT & REPORTING
|
|
# ==========================================
|
|
|
|
- name: Publish ZAP Report to Production Web Server
|
|
if: always()
|
|
run: |
|
|
# Host the report directly on the Nginx container to bypass Gitea's artifact download bug
|
|
# Accessible at: http://51.89.40.2:8080/zap-report.html
|
|
docker cp qatests/report.html website-test-backend:/usr/share/nginx/html/zap-report.html || true
|
|
docker exec website-test-backend chmod 444 /usr/share/nginx/html/zap-report.html || true
|
|
|
|
- name: Archive ZAP Report (Raw HTML)
|
|
if: always()
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: owasp-zap-report
|
|
# Upload the raw HTML file to Gitea Artifacts
|
|
path: qatests/report.html
|
|
|
|
- name: Pipeline Status Notification
|
|
if: always()
|
|
run: |
|
|
echo "Pipeline finished with status: ${{ job.status }}" |