delete(docs) remove infraestructura index duplicates #345
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run weekly security scans | |
| - cron: '0 2 * * 1' | |
| jobs: | |
| bandit-scan: | |
| name: Python Security Scan (Bandit) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install bandit | |
| run: | | |
| pip install bandit[toml] | |
| - name: Run bandit on backend code | |
| run: | | |
| cd api/callcentersite | |
| bandit -r . -f json -o bandit-report.json || true | |
| bandit -r . -f screen | |
| - name: Upload bandit report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-report | |
| path: api/callcentersite/bandit-report.json | |
| retention-days: 30 | |
| npm-audit: | |
| name: NPM Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| - name: Run npm audit | |
| run: | | |
| cd frontend | |
| npm audit --json > npm-audit.json || true | |
| npm audit | |
| - name: Check for high/critical vulnerabilities | |
| run: | | |
| cd frontend | |
| HIGH_VULNS=$(cat npm-audit.json | jq '.metadata.vulnerabilities.high // 0') | |
| CRITICAL_VULNS=$(cat npm-audit.json | jq '.metadata.vulnerabilities.critical // 0') | |
| echo "High vulnerabilities: $HIGH_VULNS" | |
| echo "Critical vulnerabilities: $CRITICAL_VULNS" | |
| if [ "$CRITICAL_VULNS" -gt 0 ]; then | |
| echo "[FAIL] CRITICAL vulnerabilities found!" | |
| exit 1 | |
| fi | |
| if [ "$HIGH_VULNS" -gt 5 ]; then | |
| echo "[WARNING] WARNING: High number of HIGH vulnerabilities" | |
| fi | |
| - name: Upload npm audit report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: npm-audit-report | |
| path: frontend/npm-audit.json | |
| retention-days: 30 | |
| safety-check: | |
| name: Python Dependency Check (Safety) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install safety | |
| run: | | |
| pip install safety | |
| - name: Run safety check | |
| run: | | |
| cd api | |
| safety check --json --output safety-report.json || true | |
| safety check | |
| - name: Upload safety report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: safety-report | |
| path: api/safety-report.json | |
| retention-days: 30 | |
| django-security-check: | |
| name: Django Security Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: pip install -r api/requirements.txt | |
| - name: Run Django security checks | |
| run: bash scripts/validation/security/check_django_security.sh | |
| trivy-scan: | |
| name: Container Security Scan (Trivy) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check for Dockerfiles | |
| id: check_docker | |
| run: | | |
| if find . -name "Dockerfile" | grep -q .; then | |
| echo "has_docker=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_docker=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Run Trivy vulnerability scanner | |
| if: steps.check_docker.outputs.has_docker == 'true' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results | |
| if: steps.check_docker.outputs.has_docker == 'true' | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| secrets-scan: | |
| name: Scan for Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| sql-injection-check: | |
| name: SQL Injection Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check for potential SQL injection | |
| run: bash scripts/validation/security/check_sql_injection.sh | |
| xss-check: | |
| name: XSS Protection Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check for XSS vulnerabilities | |
| run: bash scripts/validation/security/check_xss_protection.sh | |
| csrf-check: | |
| name: CSRF Protection Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check CSRF protection | |
| run: bash scripts/validation/security/check_csrf_protection.sh | |
| generate-security-report: | |
| name: Generate Security Report | |
| runs-on: ubuntu-latest | |
| needs: [bandit-scan, npm-audit, safety-check, django-security-check, trivy-scan, secrets-scan, sql-injection-check, xss-check, csrf-check] | |
| if: always() | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate security summary | |
| run: | | |
| cat << 'EOF' > security-report.md | |
| # Security Scan Report | |
| **Date**: $(date +"%Y-%m-%d %H:%M:%S") | |
| **Branch**: ${{ github.ref }} | |
| **Commit**: ${{ github.sha }} | |
| ## Scan Results | |
| | Check | Result | | |
| |-------|--------| | |
| | Bandit (Python) | ${{ needs.bandit-scan.result }} | | |
| | NPM Audit | ${{ needs.npm-audit.result }} | | |
| | Safety (Python Deps) | ${{ needs.safety-check.result }} | | |
| | Django Security | ${{ needs.django-security-check.result }} | | |
| | Trivy (Containers) | ${{ needs.trivy-scan.result }} | | |
| | Secrets Scan | ${{ needs.secrets-scan.result }} | | |
| | SQL Injection Check | ${{ needs.sql-injection-check.result }} | | |
| | XSS Check | ${{ needs.xss-check.result }} | | |
| | CSRF Check | ${{ needs.csrf-check.result }} | | |
| ## IACT Security Compliance | |
| - [x] NO Redis usage (RNF-002) | |
| - [x] Sessions in MySQL | |
| - [x] NO Email/SMTP | |
| - [x] CSRF protection enabled | |
| - [x] Security headers configured | |
| ## Recommendations | |
| 1. Review all warnings in scan results | |
| 2. Update vulnerable dependencies promptly | |
| 3. Conduct periodic security reviews | |
| 4. Keep Django and dependencies up to date | |
| --- | |
| Generated by Security Scan workflow | |
| EOF | |
| cat security-report.md | |
| - name: Upload security report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-report | |
| path: security-report.md | |
| retention-days: 90 | |
| summary: | |
| name: Security Scan Summary | |
| runs-on: ubuntu-latest | |
| needs: [bandit-scan, npm-audit, safety-check, django-security-check, sql-injection-check, xss-check, csrf-check] | |
| if: always() | |
| steps: | |
| - name: Check Status | |
| run: | | |
| echo "Security Scan Results:" | |
| echo " Bandit: ${{ needs.bandit-scan.result }}" | |
| echo " NPM Audit: ${{ needs.npm-audit.result }}" | |
| echo " Safety: ${{ needs.safety-check.result }}" | |
| echo " Django Security: ${{ needs.django-security-check.result }}" | |
| echo " SQL Injection: ${{ needs.sql-injection-check.result }}" | |
| echo " XSS: ${{ needs.xss-check.result }}" | |
| echo " CSRF: ${{ needs.csrf-check.result }}" | |
| CRITICAL_FAILED=false | |
| # Critical checks that must pass | |
| if [ "${{ needs.django-security-check.result }}" != "success" ] || \ | |
| [ "${{ needs.sql-injection-check.result }}" != "success" ] || \ | |
| [ "${{ needs.csrf-check.result }}" != "success" ]; then | |
| CRITICAL_FAILED=true | |
| fi | |
| if [ "$CRITICAL_FAILED" == "true" ]; then | |
| echo "[FAIL] CRITICAL security checks FAILED" | |
| exit 1 | |
| fi | |
| # Warnings for other checks | |
| if [ "${{ needs.bandit-scan.result }}" != "success" ] || \ | |
| [ "${{ needs.npm-audit.result }}" != "success" ] || \ | |
| [ "${{ needs.safety-check.result }}" != "success" ]; then | |
| echo "[WARNING] Some security scans found issues (review reports)" | |
| fi | |
| echo "[PASS] Security scan completed" |