generated from nhcarrigan/template
Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| a57302ec36 | |||
| c836ea636f | |||
| 5876686754 | |||
| fba3af6f22 | |||
| be563eb608 | |||
| 12b82907dc | |||
| b1afed5ef2 | |||
| 271ebd1e64 | |||
| 54c53f322a | |||
| cc07a86807 | |||
| fc9ca35a55 | |||
| 9f041454c0 |
@@ -8,8 +8,9 @@ on:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
name: Lint and Test
|
||||
ci:
|
||||
name: CI
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout Source Files
|
||||
@@ -25,14 +26,22 @@ jobs:
|
||||
with:
|
||||
version: 10
|
||||
|
||||
- name: Ensure Dependencies are Pinned
|
||||
uses: naomi-lgbt/dependency-pin-check@main
|
||||
with:
|
||||
language: javascript
|
||||
dev-dependencies: true
|
||||
peer-dependencies: true
|
||||
optional-dependencies: true
|
||||
|
||||
- name: Install Dependencies
|
||||
run: pnpm install
|
||||
|
||||
- name: Verify Build
|
||||
run: pnpm run build
|
||||
|
||||
- name: Lint Source Files
|
||||
run: pnpm run lint
|
||||
|
||||
- name: Verify Build
|
||||
run: pnpm run build
|
||||
|
||||
- name: Run Tests
|
||||
run: pnpm run test
|
||||
|
||||
177
.gitea/workflows/security.yml
Normal file
177
.gitea/workflows/security.yml
Normal file
@@ -0,0 +1,177 @@
|
||||
name: Security Scan and Upload
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ main ]
|
||||
pull_request:
|
||||
branches: [ main ]
|
||||
schedule:
|
||||
- cron: '0 0 * * 1'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
security-audit:
|
||||
name: Security & DefectDojo Upload
|
||||
runs-on: ubuntu-latest
|
||||
continue-on-error: true
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# --- AUTO-SETUP PROJECT ---
|
||||
- name: Ensure DefectDojo Product Exists
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
PRODUCT_NAME: ${{ github.repository }}
|
||||
PRODUCT_TYPE_ID: 1
|
||||
run: |
|
||||
sudo apt-get install jq -y > /dev/null
|
||||
|
||||
echo "Checking connection to $DD_URL..."
|
||||
|
||||
# Check if product exists - capture HTTP code to debug connection issues
|
||||
RESPONSE=$(curl --write-out "%{http_code}" --silent --output /tmp/response.json \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
"$DD_URL/api/v2/products/?name=$PRODUCT_NAME")
|
||||
|
||||
# If response is not 200, print error
|
||||
if [ "$RESPONSE" != "200" ]; then
|
||||
echo "::error::Failed to query DefectDojo. HTTP Code: $RESPONSE"
|
||||
cat /tmp/response.json
|
||||
exit 1
|
||||
fi
|
||||
|
||||
COUNT=$(cat /tmp/response.json | jq -r '.count')
|
||||
|
||||
if [ "$COUNT" = "0" ]; then
|
||||
echo "Creating product '$PRODUCT_NAME'..."
|
||||
curl -s -X POST "$DD_URL/api/v2/products/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{ "name": "'"$PRODUCT_NAME"'", "description": "Auto-created by Gitea Actions", "prod_type": '$PRODUCT_TYPE_ID' }'
|
||||
else
|
||||
echo "Product '$PRODUCT_NAME' already exists."
|
||||
fi
|
||||
|
||||
# --- 1. TRIVY (Dependencies & Misconfig) ---
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
|
||||
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
|
||||
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
|
||||
sudo apt-get update && sudo apt-get install trivy -y
|
||||
|
||||
- name: Run Trivy (FS Scan)
|
||||
run: |
|
||||
trivy fs . --scanners vuln,misconfig --format json --output trivy-results.json --exit-code 0
|
||||
|
||||
- name: Upload Trivy to DefectDojo
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
run: |
|
||||
echo "Uploading Trivy results..."
|
||||
# Generate today's date in YYYY-MM-DD format
|
||||
TODAY=$(date +%Y-%m-%d)
|
||||
|
||||
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-F "active=true" \
|
||||
-F "verified=true" \
|
||||
-F "scan_type=Trivy Scan" \
|
||||
-F "engagement_name=CI/CD Pipeline" \
|
||||
-F "product_name=${{ github.repository }}" \
|
||||
-F "scan_date=$TODAY" \
|
||||
-F "auto_create_context=true" \
|
||||
-F "file=@trivy-results.json")
|
||||
|
||||
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
|
||||
echo "::error::Upload Failed with HTTP $HTTP_CODE"
|
||||
echo "--- SERVER RESPONSE ---"
|
||||
cat response.txt
|
||||
echo "-----------------------"
|
||||
exit 1
|
||||
else
|
||||
echo "Upload Success!"
|
||||
fi
|
||||
|
||||
# --- 2. GITLEAKS (Secrets) ---
|
||||
- name: Install Gitleaks
|
||||
run: |
|
||||
wget -qO gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
|
||||
tar -xzf gitleaks.tar.gz
|
||||
sudo mv gitleaks /usr/local/bin/ && chmod +x /usr/local/bin/gitleaks
|
||||
|
||||
- name: Run Gitleaks
|
||||
run: gitleaks detect --source . -v --report-path gitleaks-results.json --report-format json --no-git || true
|
||||
|
||||
- name: Upload Gitleaks to DefectDojo
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
run: |
|
||||
echo "Uploading Gitleaks results..."
|
||||
TODAY=$(date +%Y-%m-%d)
|
||||
|
||||
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-F "active=true" \
|
||||
-F "verified=true" \
|
||||
-F "scan_type=Gitleaks Scan" \
|
||||
-F "engagement_name=CI/CD Pipeline" \
|
||||
-F "product_name=${{ github.repository }}" \
|
||||
-F "scan_date=$TODAY" \
|
||||
-F "auto_create_context=true" \
|
||||
-F "file=@gitleaks-results.json")
|
||||
|
||||
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
|
||||
echo "::error::Upload Failed with HTTP $HTTP_CODE"
|
||||
echo "--- SERVER RESPONSE ---"
|
||||
cat response.txt
|
||||
echo "-----------------------"
|
||||
exit 1
|
||||
else
|
||||
echo "Upload Success!"
|
||||
fi
|
||||
|
||||
# --- 3. SEMGREP (SAST) ---
|
||||
- name: Install Semgrep (via pipx)
|
||||
run: |
|
||||
sudo apt-get install pipx -y
|
||||
pipx install semgrep
|
||||
# Add pipx binary path to GITHUB_PATH so next steps can see 'semgrep'
|
||||
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||
|
||||
- name: Run Semgrep
|
||||
run: semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json --output semgrep-results.json . || true
|
||||
|
||||
- name: Upload Semgrep to DefectDojo
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
run: |
|
||||
echo "Uploading Semgrep results..."
|
||||
TODAY=$(date +%Y-%m-%d)
|
||||
|
||||
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-F "active=true" \
|
||||
-F "verified=true" \
|
||||
-F "scan_type=Semgrep JSON Report" \
|
||||
-F "engagement_name=CI/CD Pipeline" \
|
||||
-F "product_name=${{ github.repository }}" \
|
||||
-F "scan_date=$TODAY" \
|
||||
-F "auto_create_context=true" \
|
||||
-F "file=@semgrep-results.json")
|
||||
|
||||
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
|
||||
echo "::error::Upload Failed with HTTP $HTTP_CODE"
|
||||
echo "--- SERVER RESPONSE ---"
|
||||
cat response.txt
|
||||
echo "-----------------------"
|
||||
exit 1
|
||||
else
|
||||
echo "Upload Success!"
|
||||
fi
|
||||
@@ -18,7 +18,7 @@ This page is currently deployed. [View the live website.]
|
||||
|
||||
## Feedback and Bugs
|
||||
|
||||
If you have feedback or a bug report, please feel free to open a GitHub issue!
|
||||
If you have feedback or a bug report, please [log a ticket on our forum](https://support.nhcarrigan.com).
|
||||
|
||||
## Contributing
|
||||
|
||||
|
||||
21
pnpm-workspace.yaml
Normal file
21
pnpm-workspace.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
# Security
|
||||
|
||||
# Do not execute any scripts of installed packages (project scripts still run)
|
||||
ignoreDepScripts: true
|
||||
# Do not automatically run pre/post scripts (e.g. preinstall, postbuild)
|
||||
enablePrePostScripts: false
|
||||
# Only allow packages published at least 10 days ago (reduces risk of compromised packages)
|
||||
minimumReleaseAge: 14400
|
||||
# Fail if a package's trust level has decreased compared to previous releases
|
||||
trustPolicy: no-downgrade
|
||||
# Ignore trust policy for packages published more than 1 year ago (predates provenance signing)
|
||||
trustPolicyIgnoreAfter: 525960
|
||||
# Fail if there are missing or invalid peer dependencies
|
||||
strictPeerDependencies: true
|
||||
# Prevent transitive dependencies from using exotic sources (git repos, direct tarball URLs)
|
||||
blockExoticSubdeps: true
|
||||
|
||||
# Lockfile
|
||||
|
||||
# Allow the lockfile to be updated during install (set to true in CI for stricter reproducibility)
|
||||
preferFrozenLockfile: false
|
||||
@@ -9,4 +9,6 @@ export const reservedSlugs = [
|
||||
"unsub",
|
||||
"overlimit",
|
||||
"404",
|
||||
"favicon.ico",
|
||||
"robots.txt",
|
||||
];
|
||||
|
||||
@@ -16,7 +16,7 @@ export const error = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oh dear!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>Something went wrong while trying to redirect you! Please try again later.</p>
|
||||
</section>
|
||||
|
||||
@@ -16,7 +16,7 @@ export const fourOhFour = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oh no!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>It looks like that link is no longer registered! You should ask the person who shared it with you for an updated URL.</p>
|
||||
</section>
|
||||
|
||||
@@ -16,7 +16,7 @@ export const home = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Lynira</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>Link shortener service managed via a Discord bot.</p>
|
||||
<a href="https://discord.com/oauth2/authorize?client_id=1404593859656417320" class="social-button discord-button" style="display: inline-block; background-color: #5865F2; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px; margin: 5px;">
|
||||
|
||||
@@ -16,7 +16,7 @@ export const overlimit = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oopsie!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>It looks like the user who created this link has too many short URLs. They will need to delete some before this link works.</p>
|
||||
</section>
|
||||
|
||||
@@ -16,7 +16,7 @@ export const unsub = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oopsie!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>It looks like the user who created this link is no longer subscribed to our service! Please let them know that they will need to resubscribe before this URL works!</p>
|
||||
</section>
|
||||
|
||||
@@ -52,6 +52,16 @@ export const instantiateServer = (lynira: Lynira): void => {
|
||||
response.send(fourOhFour);
|
||||
});
|
||||
|
||||
server.get("/favicon.ico", (_request, response) => {
|
||||
response.redirect("https://cdn.nhcarrigan.com/favicon/favicon.ico");
|
||||
});
|
||||
|
||||
server.get("/robots.txt", (_request, response) => {
|
||||
response.header("Content-Type", "text/plain");
|
||||
// Allow everything
|
||||
response.send("User-agent: *\nDisallow:");
|
||||
});
|
||||
|
||||
// WILDCARD: anything static must come before this route.
|
||||
// eslint-disable-next-line max-statements -- Big function due to multiple routes.
|
||||
server.get("*", async(request, response) => {
|
||||
@@ -65,12 +75,10 @@ export const instantiateServer = (lynira: Lynira): void => {
|
||||
});
|
||||
|
||||
if (exists === null) {
|
||||
void logger.log("debug", `Link with slug "${slug}" does not exist.`);
|
||||
return await response.redirect("/404");
|
||||
}
|
||||
|
||||
if (exists.deleted) {
|
||||
void logger.log("debug", `Link with slug "${slug}" has been deleted.`);
|
||||
return await response.redirect("/404");
|
||||
}
|
||||
|
||||
@@ -108,12 +116,12 @@ export const instantiateServer = (lynira: Lynira): void => {
|
||||
}
|
||||
});
|
||||
|
||||
server.listen({ port: 5033 }, (actualError) => {
|
||||
server.listen({ port: 5044 }, (actualError) => {
|
||||
if (actualError) {
|
||||
void logger.error("instantiate server", actualError);
|
||||
return;
|
||||
}
|
||||
void logger.log("debug", "Server listening on port 5033.");
|
||||
void logger.log("debug", "Server listening on port 5044.");
|
||||
});
|
||||
} catch (actualError) {
|
||||
if (actualError instanceof Error) {
|
||||
|
||||
Reference in New Issue
Block a user