Added CI/CD Security Scanners Pipeline (#45)

.github/workflows/ci-security-njsscan.yml

@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates njsscan with GitHub's Code Scanning feature
+# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
+
+name: CI ➟ Security ➟ NJS Scan [SARIF]
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  #schedule:
+  #  - cron: '22 20 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  njs-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    name: NJS Scan code
+    steps:
+    - name: Checkout the code
+      uses: actions/checkout@v4
+    - name: Scan the code
+      uses: ajinabraham/njsscan-action@master
+      with:
+        args: '.'
+    - name: Create the SARIF file
+      id: njsscan
+      uses: ajinabraham/njsscan-action@master
+      with:
+        args: '. --sarif --output results.sarif || true'
+    - name: Upload SARIF report
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: results.sarif

.github/workflows/ci-security-snyk-validator.yml

@@ -0,0 +1,60 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
+# Snyk Container and Snyk Infrastructure as Code)
+# The setup installs the Snyk CLI - for more details on the possible commands
+# check https://docs.snyk.io/snyk-cli/cli-reference
+# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
+#
+# In order to use the Snyk Action you will need to have a Snyk API token.
+# More details in https://github.com/snyk/actions#getting-your-snyk-token
+# or you can signup for free at https://snyk.io/login
+#
+# For more examples, including how to limit scans to only high-severity issues
+# and fail PR checks, see https://github.com/snyk/actions/
+
+name: CI ➟ Security ➟ Snyk Validator
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Snyk CLI to check for security issues
+        # Snyk can be used to break the build when it detects security issues.
+        # In this case we want to upload the SAST issues to GitHub Code Scanning
+        uses: snyk/actions/setup@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+        # For Snyk Open Source you must first set up the development environment for your application's dependencies
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Snyk set up the authentication token
+        run: snyk auth "${{ secrets.SNYK_TOKEN }}"
+
+      - name: Snyk default organization
+        run: snyk config set org="${{ secrets.SNYK_ORG_ID }}"
+
+      - name: Snyk general review
+        run: snyk code test

.github/workflows/ci-security-snyk.yml

@@ -0,0 +1,84 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
+# Snyk Container and Snyk Infrastructure as Code)
+# The setup installs the Snyk CLI - for more details on the possible commands
+# check https://docs.snyk.io/snyk-cli/cli-reference
+# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
+#
+# In order to use the Snyk Action you will need to have a Snyk API token.
+# More details in https://github.com/snyk/actions#getting-your-snyk-token
+# or you can signup for free at https://snyk.io/login
+#
+# For more examples, including how to limit scans to only high-severity issues
+# and fail PR checks, see https://github.com/snyk/actions/
+
+name: CI ➟ Security ➟ Snyk Scaner [SARIF]
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Snyk CLI to check for security issues
+        # Snyk can be used to break the build when it detects security issues.
+        # In this case we want to upload the SAST issues to GitHub Code Scanning
+        uses: snyk/actions/setup@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+        # For Snyk Open Source you must first set up the development environment for your application's dependencies
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Snyk set up the authentication token
+        run: snyk auth "${{ secrets.SNYK_TOKEN }}"
+
+      - name: Snyk default organization
+        run: snyk config set org="${{ secrets.SNYK_ORG_ID }}"
+
+        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
+        # Use || true to not fail the pipeline
+      - name: Snyk Code test
+        run: snyk code test -d --sarif > snyk-code.sarif || true
+
+        # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
+      - name: Snyk Open Source monitor
+        run: snyk monitor --all-projects
+
+        # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
+        # Use || true to not fail the pipeline.
+      #- name: Snyk IaC test and report
+      #  run: snyk iac test --report || true
+
+        # Build the docker image for testing
+      #- name: Build a Docker image
+      #  run: docker build -t your/image-to-test .
+        # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
+      #- name: Snyk Container monitor
+      #  run: snyk container monitor your/image-to-test --file=Dockerfile
+
+        # Push the Snyk Code results into GitHub Code Scanning tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk-code.sarif

.gitignore

@@ -41,3 +41,7 @@ yarn-error.log*
 
 # turbo
 .turbo
+
+# Snyk
+.dccache
+*.sarif

apps/expo/tsconfig.json

@@ -1,4 +1,4 @@
 {
     "compilerOptions": {},
-    "extends": "expo/tsconfig.base"
+    "extends": "expo/tsconfig.base",
 }

apps/server/tsconfig.json

@@ -98,6 +98,6 @@
 
         /* Completeness */
         // "skipDefaultLibCheck": true,                      /* Skip type checking .d.ts files that are included with TypeScript. */
-        "skipLibCheck": true /* Skip type checking all .d.ts files. */
-    }
+        "skipLibCheck": true /* Skip type checking all .d.ts files. */,
+    },
 }

packages/api/tsconfig.json

@@ -1,4 +1,4 @@
 {
     "extends": "../../tsconfig.json",
-    "include": ["src", "index.ts", "transformer.ts"]
+    "include": ["src", "index.ts", "transformer.ts"],
 }

packages/db/tsconfig.json

@@ -1,4 +1,4 @@
 {
     "extends": "../../tsconfig.json",
-    "include": ["index.ts"]
+    "include": ["index.ts"],
 }

tsconfig.json

@@ -15,6 +15,6 @@
         "isolatedModules": true,
         "jsx": "preserve",
         "incremental": true,
-        "noUncheckedIndexedAccess": true
-    }
+        "noUncheckedIndexedAccess": true,
+    },
 }