Devsecops learning

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/" 
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 5
+    labels:
+      - "deps"
+      - "security"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    labels:
+      - "deps"
+      - "actions"

.github/workflows/codeql.yml

@@ -0,0 +1,24 @@
+name: CodeQL
+on:
+  push:
+    branches: [ main, devsecops-learning ]
+  pull_request:
+
+jobs:
+  analyze:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: javascript
+      - name: Autobuild (no-op for JS but included)
+        uses: github/codeql-action/autobuild@v2
+      - name: Run CodeQL
+        uses: github/codeql-action/analyze@v2

.github/workflows/gitleaks.yml

@@ -0,0 +1,24 @@
+name: gitleaks-scan
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout (full history for better scanning)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks (official action v2)
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}        # required for PR scanning/comments
+          # If your repo is under an Organization you must set GITLEAKS_LICENSE as an org or repo secret:
+          # GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+          # Optional environment flags the action accepts (see README):
+          # GITLEAKS_CONFIG: .gitleaks.toml
+          # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: "true"

.github/workflows/scan-trivy.yml

@@ -0,0 +1,31 @@
+name: scan-trivy
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build Docker image
+        run: docker build -t my-org/my-app:${{ github.sha }} .
+
+      - name: Run Trivy action
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: my-org/my-app:${{ github.sha }}
+          format: json
+          output: trivy-report.json
+          severity: CRITICAL,HIGH,MEDIUM
+
+      - name: Upload report
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json

.github/workflows/semgrep.yml

@@ -0,0 +1,27 @@
+name: semgrep-scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Semgrep
+        run: |
+          pip install semgrep
+
+      - name: Run Semgrep scan
+        run: semgrep --config auto --json > semgrep-report.json
+
+      - name: Upload Semgrep report
+        uses: actions/upload-artifact@v4   # <-- FIXED!
+        with:
+          name: semgrep-report
+          path: semgrep-report.json