diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml new file mode 100644 index 00000000..e9acb818 --- /dev/null +++ b/.github/workflows/devsecops.yml @@ -0,0 +1,561 @@ +name: Complete DevSecOps workflow with Trivy security scanning + +on: + push: + branches: [ main, master ] + pull_request: + branches: [ main, master ] + workflow_dispatch: + inputs: + scan_severity: + description: 'Severity levels to scan' + required: false + default: 'LOW,MEDIUM,HIGH,CRITICAL' + type: string + +env: + IMAGE_NAME: breakableflask + TRIVY_VERSION: "0.50.0" + +jobs: + # ============================================ + # JOB 1: Scan des dépendances + # ============================================ + Dependances: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Create reports directory + run: mkdir -p reports + + - name: Run Trivy vulnerability scanner on filesystem + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'json' + output: 'reports/trivy-fs-report.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + scanners: 'vuln,secret,config' + continue-on-error: true + + - name: Generate HTML report for dependencies + run: | + cat > reports/trivy-fs-report.html << 'EOF' + + + + + + Rapport de Vulnérabilités - Dépendances + + + +
+

Rapport d'Analyse de Vulnerabilites - Dependances

+

Projet: ${{ github.repository }}

+

Branche: ${{ github.ref_name }}

+

Commit: ${{ github.sha }}

+

Scanner: Trivy - Filesystem Scan

+ +

Resume

+

Ce rapport contient les resultats de l'analyse des dependances du projet.

+

Consultez le fichier JSON associe pour les details complets.

+ +
+

Genere le: $(date '+%Y-%m-%d %H:%M:%S UTC')

+

Run ID: ${{ github.run_id }}

+
+
+ + + EOF + + - name: Run Trivy SARIF report for GitHub Security tab + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'reports/trivy-fs-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + continue-on-error: true + + - name: Upload SARIF to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'reports/trivy-fs-results.sarif' + continue-on-error: true + + - name: Upload Dependencies Scan Reports + uses: actions/upload-artifact@v4 + with: + name: trivy-dependencies-report + path: | + reports/trivy-fs-report.json + reports/trivy-fs-report.html + reports/trivy-fs-results.sarif + retention-days: 30 + + # ============================================ + # JOB 2: Scan du Dockerfile et de l'image + # ============================================ + Dockerfile: + runs-on: ubuntu-latest + needs: Dependances + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Create reports directory + run: mkdir -p reports + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: false + load: true + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + + - name: Scan Dockerfile for misconfigurations + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + scan-ref: '.' + format: 'json' + output: 'reports/trivy-config-report.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + continue-on-error: true + + - name: Scan Docker image for vulnerabilities (JSON) + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' + format: 'json' + output: 'reports/trivy-image-report.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + continue-on-error: true + + - name: Scan Docker image for vulnerabilities (Table) + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' + format: 'table' + output: 'reports/trivy-image-report.txt' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + continue-on-error: true + + - name: Scan Docker image (SARIF for GitHub Security) + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' + format: 'sarif' + output: 'reports/trivy-image-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + continue-on-error: true + + - name: Generate comprehensive HTML report + run: | + cat > reports/trivy-image-report.html << 'HTMLEOF' + + + + + + Rapport de Vulnerabilites - Image Docker + + + +
+
+

Rapport de Securite - Image Docker

+

Analyse complete des vulnerabilites avec Trivy

+
+ +
+
+
PROJET
+
${{ github.repository }}
+
+
+
BRANCHE
+
${{ github.ref_name }}
+
+
+
COMMIT
+
${{ github.sha }}
+
+
+
IMAGE
+
${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+
+
DATE
+
$(date '+%Y-%m-%d %H:%M:%S UTC')
+
+
+
RUN ID
+
${{ github.run_id }}
+
+
+ +
+

Resume de l'Analyse

+

Les statistiques detaillees sont disponibles dans les fichiers JSON joints a cet artefact.

+
+
+
CRITICAL
+
-
+
+
+
HIGH
+
-
+
+
+
MEDIUM
+
-
+
+
+
LOW
+
-
+
+
+
+ +
+

Fichiers Inclus

+
+

Contenu de cet artefact :

+
    +
  • trivy-image-report.json - Rapport complet au format JSON
    • +
  • trivy-image-report.txt - Rapport en tableau lisible
    • +
  • trivy-image-report.html - Ce rapport HTML
    • +
  • trivy-config-report.json - Analyse de configuration Dockerfile
    • +
  • trivy-image-results.sarif - Format SARIF pour integration
    • +
+
+
+ +
+

Actions Recommandees

+
+

Pour corriger les vulnerabilites :

+
    +
  • Mettre a jour l'image de base vers la derniere version
    • +
  • Mettre a jour les dependances avec des versions patchees
    • +
  • Utiliser des images minimales (Alpine, Distroless)
    • +
  • Scanner regulierement les images en production
    • +
  • Consulter l'onglet Security de GitHub pour plus de details
    • +
+
+
+ +
+

Genere automatiquement par le pipeline DevSecOps

+

Powered by Trivy by Aqua Security

+
+
+ + + HTMLEOF + + - name: Upload SARIF to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'reports/trivy-image-results.sarif' + continue-on-error: true + + - name: Upload Docker Image Scan Reports + uses: actions/upload-artifact@v4 + with: + name: trivy-docker-image-report + path: | + reports/trivy-image-report.json + reports/trivy-image-report.txt + reports/trivy-image-report.html + reports/trivy-config-report.json + reports/trivy-image-results.sarif + retention-days: 30 + + # ============================================ + # JOB 3: Deploiement (si les scans passent) + # ============================================ + Deploy: + runs-on: ubuntu-latest + needs: [Dependances, Dockerfile] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Deploy notification + run: | + echo "All security scans completed!" + echo "Ready for deployment" + echo "Check the Artifacts section for detailed vulnerability reports" + + # ============================================ + # JOB 4: Generation du rapport consolide final + # ============================================ + Generate-Final-Report: + runs-on: ubuntu-latest + needs: [Dependances, Dockerfile, Deploy] + if: always() + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Create reports directory + run: mkdir -p final-reports + + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: downloaded-artifacts + + - name: Generate consolidated security report + run: | + cat > final-reports/security-summary.html << 'HTMLEOF' + + + + + + Rapport de Securite Consolide - DevSecOps + + + +
+

Rapport de Securite DevSecOps

+

Analyse complete des vulnerabilites - Pipeline CI/CD

+
+ +
+
+

INFO Informations du Build

+
+
+
Repository
+
${{ github.repository }}
+
+
+
Branche
+
${{ github.ref_name }}
+
+
+
Commit SHA
+
${{ github.sha }}
+
+
+
Run ID
+
${{ github.run_id }}
+
+
+
Declanche par
+
${{ github.actor }}
+
+
+
Date d'execution
+
$(date '+%Y-%m-%d %H:%M:%S UTC')
+
+
+
+ +
+

PIPELINE Pipeline DevSecOps

+
+
+
+
Scan des Dependances
+
Analyse des vulnerabilites dans les dependances du projet (npm, pip, etc.)
+
+
+
+
+
Scan Dockerfile et Image
+
Analyse des misconfigurations et vulnerabilites de l'image Docker
+
+
+
+
+
Deploiement
+
Validation finale et preparation au deploiement
+
+
+
+
+
Generation des Rapports
+
Consolidation de tous les rapports de securite
+
+
+
+
+ +
+

ARTIFACTS Artefacts Disponibles

+ +
+ +
+

LINKS Ressources

+
+
+
Onglet Security GitHub
+
Consultez les alertes SARIF dans l'onglet Security du repository
+
+
+
Documentation Trivy
+
https://aquasecurity.github.io/trivy
+
+
+
+
+ +
+

Rapport genere automatiquement par le pipeline DevSecOps

+

Powered by Trivy by Aqua Security et GitHub Actions

+
+ + + HTMLEOF + + - name: Upload Consolidated Security Report + uses: actions/upload-artifact@v4 + with: + name: consolidated-security-report + path: | + final-reports/ + downloaded-artifacts/ + retention-days: 90 diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..9c578140 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +FROM python:3.11-slim + +WORKDIR /app + +COPY requirements.txt . +RUN pip install --no-cache-dir -r requirements.txt + +COPY . . + +EXPOSE 5000 + +CMD ["python", "main.py"]