Skip to content

Daily security check #177

Daily security check

Daily security check #177

---
name: Daily security check
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
security:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repo
uses: actions/checkout@v2
# PHP checks
- name: Check for php composer project
id: check_composer
uses: andstor/file-existence-action@v2
with:
files: "composer.lock"
- name: Run php local security checker
if: steps.check_composer.outputs.files_exists == 'true'
uses: symfonycorp/security-checker-action@v4
# node-yarn checks
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: 14
- name: Yarn Audit myconext
run: yarn audit --level high --groups dependencies optionalDependencies
working-directory: myconext-gui
- name: Yarn Audit account
run: yarn audit --level high --groups dependencies optionalDependencies
working-directory: account-gui
# node-npm checks
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: 14
- name: npm audit myconext
if: steps.check_node_npm.outputs.files_exists == 'true'
run: cd myconext-gui && npm i && npm audit --only=prod --audit-level=high
- name: npm audit account
if: steps.check_node_npm.outputs.files_exists == 'true'
run: cd account-gui && npm i && npm audit --only=prod --audit-level=high
# python checks
- name: Check for python project
id: check_python
uses: andstor/file-existence-action@v2
with:
files: "requirements.txt"
- name: Safety checks Python dependencies
if: steps.check_python.outputs.files_exists == 'true'
uses: pyupio/[email protected]
# java checks
- name: Check for java maven project
id: check_maven
uses: andstor/file-existence-action@v2
with:
files: "pom.xml"
- name: Setup java if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/setup-java@v3
with:
java-version: 11
distribution: 'temurin'
cache: 'maven'
- name: Set up maven cache if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/cache@v1
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Check java
if: steps.check_maven.outputs.files_exists == 'true'
run: mvn org.owasp:dependency-check-maven:check -DnvdApiKey=${{ secrets.NVD_API_KEY }}
# Send results
- name: Send to Slack if something failed
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: surfconext-nightly-check
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png
SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:'
SLACK_TITLE: ${{ github.repository }} wants attention
SLACK_USERNAME: NightlySecurityCheck
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}