From f01edb704d21e755ac2955d5a2f21ce21c86b557 Mon Sep 17 00:00:00 2001 From: NkoLow <104155407+NkoLow@users.noreply.github.com> Date: Tue, 27 Jan 2026 09:37:46 +0100 Subject: [PATCH 1/7] Add DevSecOps workflow for testing and deployment --- .github/workflows/devsecops.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/devsecops.yml diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml new file mode 100644 index 00000000..df02e4b5 --- /dev/null +++ b/.github/workflows/devsecops.yml @@ -0,0 +1,23 @@ +name: Automatisation des tests DevSecOps +on: push +jobs: + Dependances: + runs-on: ubuntu-latest + steps: + - name: Dependances + run: | + echo "ecrire ici le scrypt de contrôle des dépendances" + Dockerfile: + runs-on: ubuntu-latest + needs: Dependances + steps: + - name: Test Dockerfile + run: | + echo "ecrire ici le scrypt de contrôle du Dockerfile" + Deploy: + runs-on: ubuntu-latest + needs: Dockerfile + steps: + - name: Deploy + run: | + echo "Rien à faire ici. Votre application est prête à être déployée" From fe6db5006adb3bab2c020cb2e40261babe688fe5 Mon Sep 17 00:00:00 2001 From: NkoLow <104155407+NkoLow@users.noreply.github.com> Date: Tue, 27 Jan 2026 09:58:49 +0100 Subject: [PATCH 2/7] Update devsecops.yml --- .github/workflows/devsecops.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index df02e4b5..5e96351f 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -6,7 +6,10 @@ jobs: steps: - name: Dependances run: | - echo "ecrire ici le scrypt de contrôle des dépendances" + docker run --rm \ + -v "$PWD":/project \ + -v $HOME/.cache/trivy:/root/.cache/ \ + aquasec/trivy:latest fs /project/requirements.txt Dockerfile: runs-on: ubuntu-latest needs: Dependances From 6396a7338132700d398a01259e75073e4241fdb9 Mon Sep 17 00:00:00 2001 From: NkoLow <104155407+NkoLow@users.noreply.github.com> Date: Tue, 27 Jan 2026 10:03:46 +0100 Subject: [PATCH 3/7] Update DevSecOps workflow with Trivy scans --- .github/workflows/devsecops.yml | 37 ++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index 5e96351f..055ad22e 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -1,26 +1,39 @@ name: Automatisation des tests DevSecOps on: push + jobs: Dependances: runs-on: ubuntu-latest steps: - - name: Dependances - run: | - docker run --rm \ - -v "$PWD":/project \ - -v $HOME/.cache/trivy:/root/.cache/ \ - aquasec/trivy:latest fs /project/requirements.txt + - name: Récupération du code + uses: actions/checkout@v3 + + - name: Scan des dépendances + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + # exit-code à 1 mode bloquant + exit-code: '1' + severity: 'CRITICAL,HIGH' Dockerfile: runs-on: ubuntu-latest needs: Dependances steps: - - name: Test Dockerfile - run: | - echo "ecrire ici le scrypt de contrôle du Dockerfile" + - name: Récupération du code + uses: actions/checkout@v3 + + - name: Scan du Dockerfile (Trivy Config) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + scan-ref: '.' + exit-code: '1' + severity: 'CRITICAL,HIGH' Deploy: runs-on: ubuntu-latest needs: Dockerfile steps: - - name: Deploy - run: | - echo "Rien à faire ici. Votre application est prête à être déployée" + - name: Simulation Déploiement + run: echo "Déploiement réussi !" From d08698b3edc34856e9d9693091c682377483efbc Mon Sep 17 00:00:00 2001 From: NkoLow <104155407+NkoLow@users.noreply.github.com> Date: Tue, 27 Jan 2026 10:08:38 +0100 Subject: [PATCH 4/7] Modify exit code for security scan to block on issues Updated exit code configuration for security scan. --- .github/workflows/devsecops.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index 055ad22e..e94a0a7e 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -14,7 +14,6 @@ jobs: scan-type: 'fs' scan-ref: '.' format: 'table' - # exit-code à 1 mode bloquant exit-code: '1' severity: 'CRITICAL,HIGH' Dockerfile: From abbc9a0ed33ed1d7ec9415f2ecd34c8c2a031818 Mon Sep 17 00:00:00 2001 From: NkoLow <104155407+NkoLow@users.noreply.github.com> Date: Tue, 27 Jan 2026 10:26:36 +0100 Subject: [PATCH 5/7] Add Dockerfile for Python application setup --- Dockerfile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..dc66e8b7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,17 @@ +FROM python:3.9-slim + +WORKDIR /app + +COPY requirements.txt . + +RUN pip install --no-cache-dir -r requirements.txt + +RUN groupadd -r appuser && useradd -r -g appuser appuser + +COPY --chown=appuser:appuser . . + +USER appuser + +EXPOSE 4000 + +CMD ["python", "main.py"] From 9894574394c54a91b0e24a99154037773983b7c2 Mon Sep 17 00:00:00 2001 From: NkoLow <104155407+NkoLow@users.noreply.github.com> Date: Tue, 27 Jan 2026 10:43:40 +0100 Subject: [PATCH 6/7] Update devsecops.yml --- .github/workflows/devsecops.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index e94a0a7e..6d9d1549 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -16,6 +16,14 @@ jobs: format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH' + + - name: Upload du rapport de dépendances + if: always() # <--- IMPORTANT : S'exécute même si des failles sont trouvées (exit 1) + uses: actions/upload-artifact@v4 + with: + name: rapport-trivy-dependances + path: rapport-dependances.txt + Dockerfile: runs-on: ubuntu-latest needs: Dependances @@ -30,6 +38,13 @@ jobs: scan-ref: '.' exit-code: '1' severity: 'CRITICAL,HIGH' + + - name: Upload du rapport Dockerfile + if: always() # <--- IMPORTANT : S'exécute même si des failles sont trouvées + uses: actions/upload-artifact@v4 + with: + name: rapport-trivy-dockerfile + path: rapport-dockerfile.txt Deploy: runs-on: ubuntu-latest needs: Dockerfile From 79cc4dfa04789e3286e36d3877514e7da501aa75 Mon Sep 17 00:00:00 2001 From: NkoLow <104155407+NkoLow@users.noreply.github.com> Date: Tue, 27 Jan 2026 10:46:50 +0100 Subject: [PATCH 7/7] Enhance devsecops workflow with report outputs Added output options for dependency and Dockerfile reports. --- .github/workflows/devsecops.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml index 6d9d1549..c69feb2b 100644 --- a/.github/workflows/devsecops.yml +++ b/.github/workflows/devsecops.yml @@ -14,11 +14,12 @@ jobs: scan-type: 'fs' scan-ref: '.' format: 'table' + output: 'rapport-dependances.txt' # Génère le fichier exit-code: '1' severity: 'CRITICAL,HIGH' - name: Upload du rapport de dépendances - if: always() # <--- IMPORTANT : S'exécute même si des failles sont trouvées (exit 1) + if: always() # S'exécute même si le scan échoue uses: actions/upload-artifact@v4 with: name: rapport-trivy-dependances @@ -36,15 +37,18 @@ jobs: with: scan-type: 'config' scan-ref: '.' + format: 'table' + output: 'rapport-dockerfile.txt' # Génère le fichier exit-code: '1' severity: 'CRITICAL,HIGH' - name: Upload du rapport Dockerfile - if: always() # <--- IMPORTANT : S'exécute même si des failles sont trouvées + if: always() # S'exécute même si le scan échoue uses: actions/upload-artifact@v4 with: name: rapport-trivy-dockerfile path: rapport-dockerfile.txt + Deploy: runs-on: ubuntu-latest needs: Dockerfile