From 110056b8545cfcea887630d9b2d0810575b20bd4 Mon Sep 17 00:00:00 2001
From: Dhanxy <dhanyrock1995@gmail.com>
Date: Sat, 23 May 2026 20:00:11 -0400
Subject: [PATCH 1/6] ci: inyectar pipeline devsecops en la estructura de OWASP

---
 .github/workflows/devsecops.yml | 38 +++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/devsecops.yml

diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml
new file mode 100644
index 0000000000..7aa04057a8
--- /dev/null
+++ b/.github/workflows/devsecops.yml
@@ -0,0 +1,38 @@
+name: DevSecOps CI Pipeline
+
+on:
+  push:
+    branches: [ "main", "master", "feature/security-pipeline" ]
+  pull_request:
+    branches: [ "main", "master" ]
+
+jobs:
+  security-scans:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout del código
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Escaneo de Secretos con Gitleaks
+      uses: gitleaks/gitleaks-action@v2
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      continue-on-error: true 
+
+    - name: Configurar Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18'
+
+    - name: Instalar dependencias del proyecto
+      run: npm install
+
+    - name: Escaneo de dependencias con Snyk
+      uses: snyk/actions/node@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        args: --severity-threshold=high
\ No newline at end of file

From 8807b21edcc0d5b654ec5e613309a5771a9bb554 Mon Sep 17 00:00:00 2001
From: Dhanxy <dhanyrock1995@gmail.com>
Date: Sat, 23 May 2026 20:26:26 -0400
Subject: [PATCH 2/6] continuar con fallas

---
 .github/workflows/devsecops.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml
index 7aa04057a8..5234b8b34b 100644
--- a/.github/workflows/devsecops.yml
+++ b/.github/workflows/devsecops.yml
@@ -35,4 +35,5 @@ jobs:
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
-        args: --severity-threshold=high
\ No newline at end of file
+        args: --severity-threshold=high
+        continue-on-error: true # <-- Esto hace que el pipeline reporte los fallos pero siga en verde
\ No newline at end of file

From 68c64d68280223330933220e835badfc7292c084 Mon Sep 17 00:00:00 2001
From: Dhanxy <dhanyrock1995@gmail.com>
Date: Sat, 23 May 2026 20:35:49 -0400
Subject: [PATCH 3/6] se corrige el continue

---
 .github/workflows/devsecops.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml
index 5234b8b34b..8e80c8b46f 100644
--- a/.github/workflows/devsecops.yml
+++ b/.github/workflows/devsecops.yml
@@ -36,4 +36,4 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         args: --severity-threshold=high
-        continue-on-error: true # <-- Esto hace que el pipeline reporte los fallos pero siga en verde
\ No newline at end of file
+      continue-on-error: true # <-- Esto hace que el pipeline reporte los fallos pero siga en verde
\ No newline at end of file

From aeeed07b78ded1984411e906c64955b2da350146 Mon Sep 17 00:00:00 2001
From: Dhanxy <dhanyrock1995@gmail.com>
Date: Sat, 23 May 2026 20:40:50 -0400
Subject: [PATCH 4/6] =?UTF-8?q?ci:=20implementar=20esc=C3=A1ner=20SAST=20c?=
 =?UTF-8?q?on=20CodeQL?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/devsecops.yml | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml
index 8e80c8b46f..e1c1eb5dfd 100644
--- a/.github/workflows/devsecops.yml
+++ b/.github/workflows/devsecops.yml
@@ -22,6 +22,20 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       continue-on-error: true 
 
+    # --- AQUÍ INICIA EL NUEVO BLOQUE SAST (CodeQL) ---
+    - name: Inicializar CodeQL (SAST)
+      uses: github/codeql-action/init@v3
+      with:
+        languages: 'javascript' # NodeGoat usa JavaScript
+
+    - name: Auto-compilación de CodeQL
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Ejecutar Análisis de CodeQL
+      uses: github/codeql-action/analyze@v3
+      continue-on-error: true
+    # --- AQUÍ TERMINA EL BLOQUE SAST ---
+
     - name: Configurar Node.js
       uses: actions/setup-node@v4
       with:
@@ -30,10 +44,11 @@ jobs:
     - name: Instalar dependencias del proyecto
       run: npm install
 
-    - name: Escaneo de dependencias con Snyk
+    # Tu paso de SCA que ya funciona perfectamente:
+    - name: Escaneo de dependencias con Snyk (SCA)
       uses: snyk/actions/node@master
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         args: --severity-threshold=high
-      continue-on-error: true # <-- Esto hace que el pipeline reporte los fallos pero siga en verde
\ No newline at end of file
+      continue-on-error: true
\ No newline at end of file

From beeda61ab8927cddd5d73df747f12153b3358f01 Mon Sep 17 00:00:00 2001
From: Dhanxy <dhanyrock1995@gmail.com>
Date: Sat, 23 May 2026 21:04:18 -0400
Subject: [PATCH 5/6] usar solo el evento push para habilitar escritura en SAST

---
 .github/workflows/devsecops.yml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml
index e1c1eb5dfd..48d0ee5bfc 100644
--- a/.github/workflows/devsecops.yml
+++ b/.github/workflows/devsecops.yml
@@ -3,8 +3,12 @@ name: DevSecOps CI Pipeline
 on:
   push:
     branches: [ "main", "master", "feature/security-pipeline" ]
-  pull_request:
-    branches: [ "main", "master" ]
+
+# --- AQUÍ AGREGA LOS PERMISOS PARA SAST ---
+permissions:
+  security-events: write # Permite a CodeQL escribir los hallazgos en tu pestaña de seguridad
+  actions: read          # Permite leer el estado de la ejecución
+  contents: read         # Permite leer tu código fuente
 
 jobs:
   security-scans:
@@ -22,11 +26,10 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       continue-on-error: true 
 
-    # --- AQUÍ INICIA EL NUEVO BLOQUE SAST (CodeQL) ---
     - name: Inicializar CodeQL (SAST)
       uses: github/codeql-action/init@v3
       with:
-        languages: 'javascript' # NodeGoat usa JavaScript
+        languages: 'javascript'
 
     - name: Auto-compilación de CodeQL
       uses: github/codeql-action/autobuild@v3
@@ -34,7 +37,6 @@ jobs:
     - name: Ejecutar Análisis de CodeQL
       uses: github/codeql-action/analyze@v3
       continue-on-error: true
-    # --- AQUÍ TERMINA EL BLOQUE SAST ---
 
     - name: Configurar Node.js
       uses: actions/setup-node@v4
@@ -44,7 +46,6 @@ jobs:
     - name: Instalar dependencias del proyecto
       run: npm install
 
-    # Tu paso de SCA que ya funciona perfectamente:
     - name: Escaneo de dependencias con Snyk (SCA)
       uses: snyk/actions/node@master
       env:

From 57dd595193117e321cb7481049789daf6a08be72 Mon Sep 17 00:00:00 2001
From: Dhanxy <dhanyrock1995@gmail.com>
Date: Sat, 23 May 2026 21:16:16 -0400
Subject: [PATCH 6/6] ci: separar pipeline en jobs paralelos para codigo e
 infraestructura

---
 .github/workflows/devsecops.yml | 46 ++++++++++++++++++++++++++++-----
 1 file changed, 39 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml
index 48d0ee5bfc..bd189cf299 100644
--- a/.github/workflows/devsecops.yml
+++ b/.github/workflows/devsecops.yml
@@ -4,16 +4,17 @@ on:
   push:
     branches: [ "main", "master", "feature/security-pipeline" ]
 
-# --- AQUÍ AGREGA LOS PERMISOS PARA SAST ---
 permissions:
-  security-events: write # Permite a CodeQL escribir los hallazgos en tu pestaña de seguridad
-  actions: read          # Permite leer el estado de la ejecución
-  contents: read         # Permite leer tu código fuente
+  security-events: write
+  actions: read
+  contents: read
 
 jobs:
-  security-scans:
+  # ----------------------------------------------------
+  # JOB 1: Análisis de la Aplicación (SAST + SCA)
+  # ----------------------------------------------------
+  application-scans:
     runs-on: ubuntu-latest
-
     steps:
     - name: Checkout del código
       uses: actions/checkout@v4
@@ -52,4 +53,35 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         args: --severity-threshold=high
-      continue-on-error: true
\ No newline at end of file
+      continue-on-error: true 
+
+  # ----------------------------------------------------
+  # JOB 2: Análisis de Infraestructura (Contenedores)
+  # ----------------------------------------------------
+  infrastructure-scans:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout del código
+      uses: actions/checkout@v4
+
+    - name: Configurar Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Construir Imagen Docker Local para pruebas
+      run: |
+        docker build -t nodegoat:local .
+
+    - name: Escaneo de Seguridad del Contenedor con Trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: 'nodegoat:local'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Subir resultados de Trivy a GitHub Security
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+        category: 'trivy'
\ No newline at end of file