Skip to content
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,41 @@ make test
This command runs tests and checks that coverage threshold requirements are satisfied for both backend and frontend.
**Please note your PR won't be merged if it fails the code tests checks.**

### Running Security Scan

Run the security scans for vulnerabilities and anti-patterns with the following command:

```bash
make security-scan
```

This command automatically:

- Performs local Semgrep and Trivy scans
- Outputs findings to the terminal for immediate review

For addressing findings:

- Review the output for specific file paths and line numbers
- Follow the documentation links provided in the output for remediation guidance
- Use # NOSEMGREP to suppress confirmed false positives while adding a short comment explaining each suppression

#### Running Code Scans Only

You can run code scan part separately via

```bash
make security-scan-code
```

#### Running Image Scans Only

You can run image scan part separately via

```bash
make security-scan-images
```

### Running e2e Tests

Run the frontend e2e tests with the following command:
Expand Down
28 changes: 23 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,20 @@ run:
docker compose -f docker-compose/local/compose.yaml --project-name nest-local build && \
docker compose -f docker-compose/local/compose.yaml --project-name nest-local up --remove-orphans

scan-images: \
scan-backend-image \
scan-frontend-image
security-scan: \
security-scan-code \
security-scan-images

security-scan:
@echo "Running Security Scan..."
security-scan-code: \
security-scan-code-semgrep \
security-scan-code-trivy

security-scan-images: \
security-scan-backend-image \
security-scan-frontend-image

security-scan-code-semgrep:
@echo "Running Semgrep security scan..."
@docker run --rm \
-v "$(PWD):/src" \
-w /src \
Expand Down Expand Up @@ -98,6 +106,16 @@ security-scan:
--text-output=semgrep-security-report.txt \
.

security-scan-code-trivy:
@echo "Running Trivy security scan..."
@docker run \
--rm \
-v "$(PWD):/src" \
-w /src \
aquasec/trivy fs \
--config trivy.yaml \
.

test: \
test-nest-app

Expand Down
2 changes: 1 addition & 1 deletion backend/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ save-backup:
@CMD="python manage.py dumpdata --natural-primary --natural-foreign --indent=2" $(MAKE) exec-backend-command > backend/data/backup.json
@gzip backend/data/backup.json

scan-backend-image: build-backend-local-image
security-scan-backend-image: build-backend-local-image
@trivy image \
--config trivy.yaml \
--docker-host $$(docker context inspect --format '{{.Endpoints.docker.Host}}' 2>/dev/null) \
Expand Down
1 change: 1 addition & 0 deletions cspell/custom-dict.txt
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ algoliasearch
ansa
apexcharts
apk
aquasec
aquasecurity
arithmatex
arkid15r
Expand Down
2 changes: 1 addition & 1 deletion frontend/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ generate-graphql-types:
|| (printf "pnpm run graphql-codegen"; for i in $$(seq 1 49); do printf "."; done; printf "\033[37;41mFailed\033[0m\n" \
&& pnpm run graphql-codegen))

scan-frontend-image: build-frontend-local-image
security-scan-frontend-image: build-frontend-local-image
@trivy image \
--config trivy.yaml \
--docker-host $$(docker context inspect --format '{{.Endpoints.docker.Host}}' 2>/dev/null) \
Expand Down
Loading