feat: add standup bot

.gitea/workflows/sonar.yml

@@ -0,0 +1,34 @@
+name: Code Analysis
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  sonar:
+    name: SonarQube
+
+    steps:
+      - name: Checkout Source Files
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: SonarCube Scan
+        uses: SonarSource/sonarqube-scan-action@v4
+        timeout-minutes: 10
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: "https://quality.nhcarrigan.com"
+        with:
+          args: >
+            -Dsonar.sources=.
+            -Dsonar.projectKey=security
+
+      - name: SonarQube Quality Gate check
+        uses: sonarsource/sonarqube-quality-gate-action@v1
+        with:
+          pollingTimeoutSec: 600
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: "https://quality.nhcarrigan.com"

scan.sh

@@ -1,87 +1,92 @@
-# Clean existing reports.
+# Clean any existing reports.
 rm -r ./gitleaks;
 rm -r ./trivy;
 rm -r ./grype;
 rm -r ./syft;
-rm -r ./snyk;
 rm -r ./deps;
+rm ./index.html;
 
 # Create the directories for the reports.
 mkdir ./gitleaks;
 mkdir ./trivy;
 mkdir ./grype;
 mkdir ./syft;
-mkdir ./snyk;
 mkdir ./deps;
 
-# Parse directories for all of the projects we "own".
+# List of repositories to scan.
-repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort));
+repositories=("typescript-config" "boost-monitor" "tingle-bot" "rig-task-bot" "blog" "mod-logs" "a4p-bot" "mod-bot" "rosalia-nightsong" "eslint-config" "logger" "aria-iuvo" "cordelia-taryne" "melody-iuvo" "nginx-configs" "website-headers" "discord-rpc" "portfolio" "forms" "static-pages" "ocean-breeze" "becca-lyria" "docs" "gwen-abalise" "nails" "maylin-taryne" "standup-bot");
+# Sort them alphabetically.
+repositories=($(echo "${repositories[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' '));
 html=();
+current_dir=$(pwd);
+date=$(date);
 
 for directory in "${repositories[@]}"; do
-  if [ $directory == "naomi" ] || [ $directory == "security" ]; then
-    continue;
-  fi;
   echo "Scanning $directory";
 
-  # Automated scanning tools
+  git clone https://git.nhcarrigan.com/nhcarrigan/$directory ./_repos/$directory;
-  gitleaks detect --source /home/naomi/code/naomi/$directory -r ./gitleaks/$directory.json --no-banner;
-  trivy repo --format json --output ./trivy/$directory.json /home/naomi/code/naomi/$directory;
-  grype -o json --file ./grype/$directory.json /home/naomi/code/naomi/$directory;
-  syft scan /home/naomi/code/naomi/$directory -o json=./syft/$directory.json;
-
-  # Need to move directories for Snyk to track the target correctly.
-  cd /home/naomi/code/naomi/$directory;
-  snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) /home/naomi/code/naomi/$directory;
-  snyk test --dev --json --json-file-output=/home/naomi/code/naomi/security/snyk/$directory.json /home/naomi/code/naomi/$directory;
-  cd /home/naomi/code/naomi/security;
 
   # Manual dependency version checks (no reliable package to do this for us :/ )
-  echo "No supported package manager found in this project." > /home/naomi/code/naomi/security/deps/$directory.txt;
+  echo "No supported package manager found in this project." > $current_dir/deps/$directory.txt;
-  if [ -f /home/naomi/code/naomi/$directory/package.json ]; then
+  if [ -f $current_dir/_repos/$directory/package.json ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    pnpm outdated | grep -v "^WARN" > /home/naomi/code/naomi/security/deps/$directory.txt;
+    pnpm install;
-    cd /home/naomi/code/naomi/security;
+    pnpm outdated | grep -v "^WARN" > $current_dir/deps/$directory.txt;
+    cd $current_dir
   fi;
-  if [ -f /home/naomi/code/naomi/$directory/Pipfile ]; then
+  if [ -f $current_dir/_repos/$directory/Pipfile ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    pip list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    pip install;
-    cd /home/naomi/code/naomi/security;
+    pip list --outdated > $current_dir/deps/$directory.txt;
+    cd $current_dir
   fi;
-  if [ -f /home/naomi/code/naomi/$directory/*.csproj ]; then
+  if [ -f $current_dir/_repos/$directory/*.csproj ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    dotnet list package --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    dotnet restore;
-    cd /home/naomi/code/naomi/security;
+    dotnet list package --outdated > $current_dir/deps/$directory.txt;
+    cd $current_dir
   fi;
-  if [ -f /home/naomi/code/naomi/$directory/go.mod ]; then
+  if [ -f $current_dir/_repos/$directory/go.mod ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    go list -m -u all > /home/naomi/code/naomi/security/deps/$directory.txt;
+    go install;
-    cd /home/naomi/code/naomi/security;
+    go list -m -u all > $current_dir/deps/$directory.txt;
+    cd $current_dir
   fi;
-  if [ -f /home/naomi/code/naomi/$directory/rockspec ]; then
+  if [ -f $current_dir/_repos/$directory/rockspec ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    luarocks list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    luarocks install;
-    cd /home/naomi/code/naomi/security;
+    luarocks list --outdated > $current_dir/deps/$directory.txt;
+    cd $current_dir
   fi;
-  if [ -f /home/naomi/code/naomi/$directory/composer.json ]; then
+  if [ -f $current_dir/_repos/$directory/composer.json ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    composer outdated --format=json > /home/naomi/code/naomi/security/deps/$directory.json;
+    composer install;
-    cd /home/naomi/code/naomi/security;
+    composer outdated --format=json > $current_dir/deps/$directory.json;
+    cd $current_dir
   fi;
-  if [ -f /home/naomi/code/naomi/$directory/Gemfile ]; then
+  if [ -f $current_dir/_repos/$directory/Gemfile ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    bundle outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    bundle install;
-    cd /home/naomi/code/naomi/security;
+    bundle outdated > $current_dir/deps/$directory.txt;
+    cd $current_dir
   fi;
-  if [ -f /home/naomi/code/naomi/$directory/Cargo.toml ]; then
+  if [ -f $current_dir/_repos/$directory/Cargo.toml ]; then
-    cd /home/naomi/code/naomi/$directory;
+    cd $current_dir/_repos/$directory;
-    cargo outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cargo install;
-    cd /home/naomi/code/naomi/security;
+    cargo outdated > $current_dir/deps/$directory.txt;
+    cd $current_dir
   fi;
-  html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
+
+  # Automated scanning tools
+  gitleaks detect --source $current_dir/_repos/$directory -r $current_dir/gitleaks/$directory.json --no-banner;
+  trivy repo --format json --output $current_dir/trivy/$directory.json $current_dir/_repos/$directory --include-dev-deps;
+  grype -o json --file $current_dir/grype/$directory.json $current_dir/_repos/$directory;
+  syft scan $current_dir/_repos/$directory -o json=$current_dir/syft/$directory.json;
+
+  html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
+
 done;
 
-echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;
+rm -rf $current_dir/_repos;
 
-# Deploy the reports to the production server.
+echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</p><p>Updated: ${date}</p></section><section>${html[*]}</section></main></body></html>" > ./index.html;
-GLOBIGNORE='.git' scp -r ./* prod:/home/nhcarrigan/security