SecuScan/.github/workflows/ci.yml at main · utksh1/SecuScan · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
name: SecuScan CI

on:
  push:
  pull_request:

permissions:
  contents: read

jobs:
  detect-changes:
    runs-on: ubuntu-latest
    outputs:
      run_backend: ${{ steps.filter.outputs.run_backend }}
      run_frontend: ${{ steps.filter.outputs.run_frontend }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Fetch base branch for diff
        if: github.event_name == 'pull_request'
        run: git fetch origin "${{ github.base_ref }}" --depth=1
      # Test-selection policy (which suites run for which changes, plus the
      # full-suite fallbacks) is documented in docs/ci-test-selection.md
      - name: Determine test selection
        id: filter
        env:
          GITHUB_EVENT_NAME: ${{ github.event_name }}
        run: python3 scripts/select_tests.py

  formatting-hygiene:
    needs: detect-changes
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Check formatting hygiene on changed files
        run: |
          git fetch origin "${{ github.base_ref }}" --depth=1
          git diff --check "origin/${{ github.base_ref }}"...HEAD

  issue-template-label-validation:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Validate issue template labels
        run: python scripts/validate_issue_template_labels.py

  doc-anchor-validation:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Validate documentation anchors
        run: python scripts/validate_doc_anchors.py

  backend-lint:
    needs: detect-changes
    if: needs.detect-changes.outputs.run_backend == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install backend system dependencies
        run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config
      - name: Install backend development dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt -r backend/requirements-dev.txt
      - name: Run backend lint baseline
        run: ruff check backend testing/backend

  backend-unit:
    needs: [detect-changes, backend-lint, formatting-hygiene]
    if: |
      always() &&
      needs.detect-changes.outputs.run_backend == 'true' &&
      (needs.backend-lint.result == 'success' || needs.backend-lint.result == 'skipped') &&
      (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install backend system dependencies
        run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config
      - name: Install backend dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt -r backend/requirements-dev.txt
      - name: Run unit tests
        run: pytest testing/backend/unit -q -m "not benchmark"

  backend-integration:
    needs: [detect-changes, backend-lint, formatting-hygiene]
    if: |
      always() &&
      needs.detect-changes.outputs.run_backend == 'true' &&
      (needs.backend-lint.result == 'success' || needs.backend-lint.result == 'skipped') &&
      (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install backend system dependencies
        run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config
      - name: Install backend dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt -r backend/requirements-dev.txt
      - name: Run integration tests
        run: pytest testing/backend/integration -q -m "not benchmark"

  parser-contracts:
    needs: [detect-changes, backend-lint, formatting-hygiene]
    if: |
      always() &&
      needs.detect-changes.outputs.run_backend == 'true' &&
      (needs.backend-lint.result == 'success' || needs.backend-lint.result == 'skipped') &&
      (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped')
    runs-on: ubuntu-latest
    strategy:
      matrix:
        capability_group:
          - network
          - intrusive
          - credentials
          - exploit
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install backend system dependencies
        run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config
      - name: Install backend dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt -r backend/requirements-dev.txt
      - name: Run parser contract tests for capability group ${{ matrix.capability_group }}
        run: |
          echo "Running parser contract tests for capability group: ${{ matrix.capability_group }}"
          PARSER_CAPABILITY_GROUP=${{ matrix.capability_group }} pytest testing/backend/integration/test_parser_output_contract.py -q
  backend-tests:
    needs:
      - backend-unit
      - backend-integration
      - parser-contracts
    runs-on: ubuntu-latest
    if: |
      always() &&
      (needs.backend-unit.result == 'success' || needs.backend-unit.result == 'skipped') &&
      (needs.backend-integration.result == 'success' || needs.backend-integration.result == 'skipped') &&
      (needs.parser-contracts.result == 'success' || needs.parser-contracts.result == 'skipped')
    steps:
      - name: Backend test suites completed
        run: echo "backend-unit, backend-integration, and parser-contracts completed"
  backend-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install backend system dependencies
        run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config
      - name: Install backend dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt -r backend/requirements-dev.txt

      - name: Run pip-audit on backend
        id: pip_audit
        run: |
          mkdir -p ${{ github.workspace }}/backend
          pip-audit -r backend/requirements.txt --desc --format json > ${{ github.workspace }}/backend/pip-audit-report.json || {
            EXIT_CODE=$?
            echo "EXIT_CODE=$EXIT_CODE" >> $GITHUB_OUTPUT
            exit 0  # Check severity next
          }
        continue-on-error: true

      - name: Check pip-audit results
        run: |
          python ${{ github.workspace }}/scripts/check_pip_audit.py \
            --report ${{ github.workspace }}/backend/pip-audit-report.json \
            --config ${{ github.workspace }}/.audit-config.yaml

      - name: Generate CycloneDX SBOM
        run: |
          python ${{ github.workspace }}/scripts/generate_sbom.py --output ${{ github.workspace }}/sbom.json --include-dev

      - name: Upload pip-audit report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: pip-audit-report
          path: ${{ github.workspace }}/backend/pip-audit-report.json

      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: ${{ github.workspace }}/sbom.json

  benchmark:
    runs-on: ubuntu-latest
    needs: [backend-lint]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install backend system dependencies
        run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config
      - name: Install backend dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt -r backend/requirements-dev.txt
      - name: Run benchmarks
        id: run_benchmarks
        run: python3 scripts/run_benchmarks.py
        continue-on-error: true
      - name: Upload benchmark comparison artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: benchmark-threshold-comparison
          path: |
            benchmark_results.json
            benchmark_threshold_comparison.json
      - name: Add warning annotation on failure
        if: steps.run_benchmarks.outcome == 'failure'
        run: |
          echo "::warning::Performance benchmark thresholds exceeded or benchmarks failed to run. Check the job logs for details."
  frontend-run-checks:
    needs: [detect-changes, formatting-hygiene]
    if: |
      always() &&
      needs.detect-changes.outputs.run_frontend == 'true' &&
      (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped')
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [20, 22]

    defaults:
      run:
        working-directory: frontend
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: Install frontend dependencies
        run: npm ci
      - name: Run npm audit
        id: npm_audit
        run: |
          npm audit --json > ${{ github.workspace }}/frontend/npm-audit-report.json || {
            EXIT_CODE=$?
            echo "EXIT_CODE=$EXIT_CODE" >> $GITHUB_OUTPUT
            exit 0  # Check severity next
          }
        continue-on-error: true
      - name: Install Python YAML library
        run: pip install pyyaml
      - name: Check npm audit results
        run: python ${{ github.workspace }}/scripts/check_npm_audit.py --report ${{ github.workspace }}/frontend/npm-audit-report.json --config ${{ github.workspace }}/.audit-config.yaml
      - name: Upload npm-audit report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: npm-audit-report
          path: frontend/npm-audit-report.json
      - name: Run frontend TypeScript typecheck
        run: npm run typecheck
      - name: Note TypeScript typecheck in job summary
        if: always()
        run: |
          echo "Frontend TypeScript typecheck: npm run typecheck" >> "$GITHUB_STEP_SUMMARY"
      - name: Run frontend quality gate
        run: npm run quality
      - name: Run unit tests
        run: npm run test
      - name: Build frontend
        run: npm run build

  frontend-checks:
    needs: [frontend-run-checks]
    if: always()
    runs-on: ubuntu-latest
    steps:
      - name: Check matrix results
        run: |
          if [ "${{ needs.frontend-run-checks.result }}" = "success" ] || [ "${{ needs.frontend-run-checks.result }}" = "skipped" ]; then
            echo "Frontend checks completed successfully or skipped"
            exit 0
          else
            echo "Frontend checks failed"
            exit 1
          fi