Frontend optimization #425
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SAST | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| jobs: | |
| gitleaks: | |
| name: GitLeaks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: gitleaks/gitleaks-action@4df650038e2eb9f7329218df929c2780866e61a3 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_NOTIFY_USER_LIST: "@pablosnt" | |
| GITLEAKS_ENABLE_COMMENTS: true | |
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true | |
| GITLEAKS_ENABLE_SUMMARY: true | |
| sast: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: Semgrep Backend | |
| tool: semgrep | |
| version: latest | |
| path: src/backend | |
| report: semgrep-backend.json | |
| arguments: --config=auto --error --json | |
| - name: Semgrep CI/CD | |
| tool: semgrep | |
| version: latest | |
| path: .github/workflows | |
| report: semgrep-cicd.json | |
| arguments: --config=auto --error --json | |
| - name: Bandit | |
| tool: bandit | |
| version: latest | |
| path: src/backend | |
| report: bandit.json | |
| arguments: -r --skip=B105,B106 -f json | |
| - name: Njsscan | |
| tool: njsscan | |
| version: latest | |
| path: src/frontend | |
| report: njsscan.json | |
| arguments: --exit-warning --json | |
| name: ${{ matrix.name }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Python 3 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| - uses: dorny/paths-filter@3c49e64ca26115121162fb767bc6af9e8d059f1a | |
| id: changes | |
| name: Path filter | |
| with: | |
| filters: | | |
| path: | |
| - '${{ matrix.path }}/**' | |
| - name: Installation | |
| if: ${{ matrix.version == 'latest' && (steps.changes.outputs.path == 'true' || github.event_name != 'pull_request') }} | |
| run: pip install ${{ matrix.tool }} | |
| - name: Installation | |
| if: ${{ matrix.version != 'latest' && (steps.changes.outputs.path == 'true' || github.event_name != 'pull_request') }} | |
| run: pip install ${{ matrix.tool }}==${{ matrix.version }} | |
| - name: Scan | |
| if: ${{ steps.changes.outputs.path == 'true' || github.event_name != 'pull_request' }} | |
| run: ${{ matrix.tool }} ${{ matrix.arguments }} -o ${{ matrix.report }} ${{ matrix.path }} | |
| - name: Upload report as GitHub artifact | |
| if: ${{ !cancelled() && (steps.changes.outputs.path == 'true' || github.event_name != 'pull_request') }} | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ matrix.tool }} | |
| path: ${{ matrix.report }} | |
| if-no-files-found: warn | |