From f861b765f96ede773acbfd449d57f7ade6edff7e Mon Sep 17 00:00:00 2001 From: FredericRagheb <104088078+FredericRagheb@users.noreply.github.com> Date: Mon, 8 Dec 2025 16:35:48 +0100 Subject: [PATCH 1/6] Create devsecops.yml --- .github/workflows/devsecops.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/devsecops.yml diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml new file mode 100644 index 00000000..df02e4b5 --- /dev/null +++ b/.github/workflows/devsecops.yml @@ -0,0 +1,23 @@ +name: Automatisation des tests DevSecOps +on: push +jobs: + Dependances: + runs-on: ubuntu-latest + steps: + - name: Dependances + run: | + echo "ecrire ici le scrypt de contrôle des dépendances" + Dockerfile: + runs-on: ubuntu-latest + needs: Dependances + steps: + - name: Test Dockerfile + run: | + echo "ecrire ici le scrypt de contrôle du Dockerfile" + Deploy: + runs-on: ubuntu-latest + needs: Dockerfile + steps: + - name: Deploy + run: | + echo "Rien à faire ici. Votre application est prête à être déployée" From 8826c7ed7c3c8837ea7e1181f238eb00b0ab9273 Mon Sep 17 00:00:00 2001 From: FredericRagheb <104088078+FredericRagheb@users.noreply.github.com> Date: Mon, 8 Dec 2025 16:44:42 +0100 Subject: [PATCH 2/6] Update devsecops.yml --- .github/workflows/devsecops.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index df02e4b5..413565b5 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -6,14 +6,14 @@ jobs: steps: - name: Dependances run: | - echo "ecrire ici le scrypt de contrôle des dépendances" + docker run --rm -v "$PWD":/project -v $HOME/.cache/trivy:/root/.cache/ aquasec/trivy:latest fs /project/requirements.txt Dockerfile: runs-on: ubuntu-latest needs: Dependances steps: - name: Test Dockerfile run: | - echo "ecrire ici le scrypt de contrôle du Dockerfile" + docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$HOME/.cache/trivy":/root/.cache/ aquasec/trivy:latest image --format json --severity HIGH,CRITICAL imgvulne:1.1 | jq -r '["TARGET","PACKAGE","INSTALLED","VULN","SEVERITY"], (.Results[]? as $r | $r.Vulnerabilities[]? | [$r.Target, .PkgName, .InstalledVersion, .VulnerabilityID, .Severity]) | @tsv'| column -t -s $'\t' Deploy: runs-on: ubuntu-latest needs: Dockerfile From e2093f0fc0f037725ef1b81d06e697cd248ea790 Mon Sep 17 00:00:00 2001 From: FredericRagheb <104088078+FredericRagheb@users.noreply.github.com> Date: Mon, 8 Dec 2025 16:47:21 +0100 Subject: [PATCH 3/6] Fix path to requirements.txt in DevSecOps workflow --- .github/workflows/devsecops.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index 413565b5..cb619677 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -6,7 +6,7 @@ jobs: steps: - name: Dependances run: | - docker run --rm -v "$PWD":/project -v $HOME/.cache/trivy:/root/.cache/ aquasec/trivy:latest fs /project/requirements.txt + docker run --rm -v "$PWD":/project -v $HOME/.cache/trivy:/root/.cache/ aquasec/trivy:latest fs ./requirements.txt Dockerfile: runs-on: ubuntu-latest needs: Dependances From 79258ec9ce40abd310bf2e32dfa167075b7cb04d Mon Sep 17 00:00:00 2001 From: FredericRagheb <104088078+FredericRagheb@users.noreply.github.com> Date: Tue, 20 Jan 2026 15:15:40 +0000 Subject: [PATCH 4/6] Add artifact generation for vulnerability reports - Add downloadable artifacts for dependencies scan (JSON, HTML, SARIF) - Add downloadable artifacts for Docker image scan (JSON, TXT, HTML, SARIF) - Add consolidated security dashboard with all reports - Integrate SARIF reports with GitHub Security tab - Use official aquasecurity/trivy-action for better reliability - Generate professional HTML reports for each scan type --- .github/workflows/devsecops.yml | 549 +++++++++++++++++++++++++++++++- 1 file changed, 540 insertions(+), 9 deletions(-) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index cb619677..627c2221 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -1,23 +1,554 @@ -name: Automatisation des tests DevSecOps -on: push +name: Complete DevSecOps workflow with Trivy security scanning + +on: + push: + branches: [ main, master ] + pull_request: + branches: [ main, master ] + +env: + IMAGE_NAME: breakableflask + TRIVY_VERSION: "0.50.0" + jobs: + # ============================================ + # JOB 1: Scan des dépendances + # ============================================ Dependances: runs-on: ubuntu-latest steps: - - name: Dependances + - name: Checkout code + uses: actions/checkout@v4 + + - name: Create reports directory + run: mkdir -p reports + + - name: Run Trivy vulnerability scanner on filesystem + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'json' + output: 'reports/trivy-fs-report.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + scanners: 'vuln,secret,config' + continue-on-error: true + + - name: Generate HTML report for dependencies run: | - docker run --rm -v "$PWD":/project -v $HOME/.cache/trivy:/root/.cache/ aquasec/trivy:latest fs ./requirements.txt + cat > reports/trivy-fs-report.html << 'EOF' + + + + + + Rapport de Vulnérabilités - Dépendances + + + +
+

Rapport d'Analyse de Vulnerabilites - Dependances

+

Projet: ${{ github.repository }}

+

Branche: ${{ github.ref_name }}

+

Commit: ${{ github.sha }}

+

Scanner: Trivy - Filesystem Scan

+ +

Resume

+

Ce rapport contient les resultats de l'analyse des dependances du projet.

+

Consultez le fichier JSON associe pour les details complets.

+ +
+

Genere le: $(date '+%Y-%m-%d %H:%M:%S UTC')

+

Run ID: ${{ github.run_id }}

+
+
+ + + EOF + + - name: Run Trivy SARIF report for GitHub Security tab + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'reports/trivy-fs-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + continue-on-error: true + + - name: Upload SARIF to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'reports/trivy-fs-results.sarif' + continue-on-error: true + + - name: Upload Dependencies Scan Reports + uses: actions/upload-artifact@v4 + with: + name: trivy-dependencies-report + path: | + reports/trivy-fs-report.json + reports/trivy-fs-report.html + reports/trivy-fs-results.sarif + retention-days: 30 + + # ============================================ + # JOB 2: Scan du Dockerfile et de l'image + # ============================================ Dockerfile: runs-on: ubuntu-latest needs: Dependances steps: - - name: Test Dockerfile + - name: Checkout code + uses: actions/checkout@v4 + + - name: Create reports directory + run: mkdir -p reports + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: false + load: true + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} + + - name: Scan Dockerfile for misconfigurations + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + scan-ref: '.' + format: 'json' + output: 'reports/trivy-config-report.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + continue-on-error: true + + - name: Scan Docker image for vulnerabilities (JSON) + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' + format: 'json' + output: 'reports/trivy-image-report.json' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + continue-on-error: true + + - name: Scan Docker image for vulnerabilities (Table) + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' + format: 'table' + output: 'reports/trivy-image-report.txt' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' + continue-on-error: true + + - name: Scan Docker image (SARIF for GitHub Security) + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' + format: 'sarif' + output: 'reports/trivy-image-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + continue-on-error: true + + - name: Generate comprehensive HTML report run: | - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$HOME/.cache/trivy":/root/.cache/ aquasec/trivy:latest image --format json --severity HIGH,CRITICAL imgvulne:1.1 | jq -r '["TARGET","PACKAGE","INSTALLED","VULN","SEVERITY"], (.Results[]? as $r | $r.Vulnerabilities[]? | [$r.Target, .PkgName, .InstalledVersion, .VulnerabilityID, .Severity]) | @tsv'| column -t -s $'\t' + cat > reports/trivy-image-report.html << 'HTMLEOF' + + + + + + Rapport de Vulnerabilites - Image Docker + + + +
+
+

Rapport de Securite - Image Docker

+

Analyse complete des vulnerabilites avec Trivy

+
+ +
+
+
PROJET
+
${{ github.repository }}
+
+
+
BRANCHE
+
${{ github.ref_name }}
+
+
+
COMMIT
+
${{ github.sha }}
+
+
+
IMAGE
+
${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+
+
DATE
+
$(date '+%Y-%m-%d %H:%M:%S UTC')
+
+
+
RUN ID
+
${{ github.run_id }}
+
+
+ +
+

Resume de l'Analyse

+

Les statistiques detaillees sont disponibles dans les fichiers JSON joints a cet artefact.

+
+
+
CRITICAL
+
-
+
+
+
HIGH
+
-
+
+
+
MEDIUM
+
-
+
+
+
LOW
+
-
+
+
+
+ +
+

Fichiers Inclus

+
+

Contenu de cet artefact :

+
    +
  • trivy-image-report.json - Rapport complet au format JSON
    • +
  • trivy-image-report.txt - Rapport en tableau lisible
    • +
  • trivy-image-report.html - Ce rapport HTML
    • +
  • trivy-config-report.json - Analyse de configuration Dockerfile
    • +
  • trivy-image-results.sarif - Format SARIF pour integration
    • +
+
+
+ +
+

Actions Recommandees

+
+

Pour corriger les vulnerabilites :

+
    +
  • Mettre a jour l'image de base vers la derniere version
    • +
  • Mettre a jour les dependances avec des versions patchees
    • +
  • Utiliser des images minimales (Alpine, Distroless)
    • +
  • Scanner regulierement les images en production
    • +
  • Consulter l'onglet Security de GitHub pour plus de details
    • +
+
+
+ +
+

Genere automatiquement par le pipeline DevSecOps

+

Powered by Trivy by Aqua Security

+
+
+ + + HTMLEOF + + - name: Upload SARIF to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'reports/trivy-image-results.sarif' + continue-on-error: true + + - name: Upload Docker Image Scan Reports + uses: actions/upload-artifact@v4 + with: + name: trivy-docker-image-report + path: | + reports/trivy-image-report.json + reports/trivy-image-report.txt + reports/trivy-image-report.html + reports/trivy-config-report.json + reports/trivy-image-results.sarif + retention-days: 30 + + # ============================================ + # JOB 3: Deploiement (si les scans passent) + # ============================================ Deploy: runs-on: ubuntu-latest - needs: Dockerfile + needs: [Dependances, Dockerfile] steps: - - name: Deploy + - name: Checkout code + uses: actions/checkout@v4 + + - name: Deploy notification run: | - echo "Rien à faire ici. Votre application est prête à être déployée" + echo "All security scans completed!" + echo "Ready for deployment" + echo "Check the Artifacts section for detailed vulnerability reports" + + # ============================================ + # JOB 4: Generation du rapport consolide final + # ============================================ + Generate-Final-Report: + runs-on: ubuntu-latest + needs: [Dependances, Dockerfile, Deploy] + if: always() + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Create reports directory + run: mkdir -p final-reports + + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: downloaded-artifacts + + - name: Generate consolidated security report + run: | + cat > final-reports/security-summary.html << 'HTMLEOF' + + + + + + Rapport de Securite Consolide - DevSecOps + + + +
+

Rapport de Securite DevSecOps

+

Analyse complete des vulnerabilites - Pipeline CI/CD

+
+ +
+
+

INFO Informations du Build

+
+
+
Repository
+
${{ github.repository }}
+
+
+
Branche
+
${{ github.ref_name }}
+
+
+
Commit SHA
+
${{ github.sha }}
+
+
+
Run ID
+
${{ github.run_id }}
+
+
+
Declanche par
+
${{ github.actor }}
+
+
+
Date d'execution
+
$(date '+%Y-%m-%d %H:%M:%S UTC')
+
+
+
+ +
+

PIPELINE Pipeline DevSecOps

+
+
+
+
Scan des Dependances
+
Analyse des vulnerabilites dans les dependances du projet (npm, pip, etc.)
+
+
+
+
+
Scan Dockerfile et Image
+
Analyse des misconfigurations et vulnerabilites de l'image Docker
+
+
+
+
+
Deploiement
+
Validation finale et preparation au deploiement
+
+
+
+
+
Generation des Rapports
+
Consolidation de tous les rapports de securite
+
+
+
+
+ +
+

ARTIFACTS Artefacts Disponibles

+ +
+ +
+

LINKS Ressources

+
+
+
Onglet Security GitHub
+
Consultez les alertes SARIF dans l'onglet Security du repository
+
+
+
Documentation Trivy
+
https://aquasecurity.github.io/trivy
+
+
+
+
+ +
+

Rapport genere automatiquement par le pipeline DevSecOps

+

Powered by Trivy by Aqua Security et GitHub Actions

+
+ + + HTMLEOF + + - name: Upload Consolidated Security Report + uses: actions/upload-artifact@v4 + with: + name: consolidated-security-report + path: | + final-reports/ + downloaded-artifacts/ + retention-days: 90 From 9b113f94f68f402718c8943c8861a1821c732fb6 Mon Sep 17 00:00:00 2001 From: FredericRagheb <104088078+FredericRagheb@users.noreply.github.com> Date: Tue, 20 Jan 2026 15:22:14 +0000 Subject: [PATCH 5/6] Add manual workflow trigger for testing --- .github/workflows/devsecops.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index 627c2221..fa2ebe35 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -5,6 +5,13 @@ on: branches: [ main, master ] pull_request: branches: [ main, master ] + workflow_dispatch: + inputs: + scan_severity: + description: 'Severity levels to scan' + required: false + default: 'LOW,MEDIUM,HIGH,CRITICAL' + type: string env: IMAGE_NAME: breakableflask From c16db6adf8ab051235cb4e26900fa65c90b89381 Mon Sep 17 00:00:00 2001 From: FredericRagheb <104088078+FredericRagheb@users.noreply.github.com> Date: Tue, 20 Jan 2026 15:31:19 +0000 Subject: [PATCH 6/6] Add Dockerfile and update CodeQL action to v4 --- .github/workflows/devsecops.yml | 4 ++-- Dockerfile | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 Dockerfile diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index fa2ebe35..e9acb818 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -108,7 +108,7 @@ jobs: continue-on-error: true - name: Upload SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'reports/trivy-fs-results.sarif' continue-on-error: true @@ -323,7 +323,7 @@ jobs: HTMLEOF - name: Upload SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'reports/trivy-image-results.sarif' continue-on-error: true diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..9c578140 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +FROM python:3.11-slim + +WORKDIR /app + +COPY requirements.txt . +RUN pip install --no-cache-dir -r requirements.txt + +COPY . . + +EXPOSE 5000 + +CMD ["python", "main.py"]