Skip to content

Feature/security pipeline #417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Dhanxi wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Feature/security pipeline #417

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
110056b
ci: inyectar pipeline devsecops en la estructura de OWASP
Dhanxi May 24, 2026
8807b21
continuar con fallas
Dhanxi May 24, 2026
68c64d6
se corrige el continue
Dhanxi May 24, 2026
aeeed07
ci: implementar escáner SAST con CodeQL
Dhanxi May 24, 2026
beeda61
usar solo el evento push para habilitar escritura en SAST
Dhanxi May 24, 2026
57dd595
ci: separar pipeline en jobs paralelos para codigo e infraestructura
Dhanxi May 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions .github/workflows/devsecops.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: DevSecOps CI Pipeline

on:
push:
branches: [ "main", "master", "feature/security-pipeline" ]

permissions:
security-events: write
actions: read
contents: read

jobs:
# ----------------------------------------------------
# JOB 1: Análisis de la Aplicación (SAST + SCA)
# ----------------------------------------------------
application-scans:
runs-on: ubuntu-latest
steps:
- name: Checkout del código
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Escaneo de Secretos con Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true

- name: Inicializar CodeQL (SAST)
uses: github/codeql-action/init@v3
with:
languages: 'javascript'

- name: Auto-compilación de CodeQL
uses: github/codeql-action/autobuild@v3

- name: Ejecutar Análisis de CodeQL
uses: github/codeql-action/analyze@v3
continue-on-error: true

- name: Configurar Node.js
uses: actions/setup-node@v4
with:
node-version: '18'

- name: Instalar dependencias del proyecto
run: npm install

- name: Escaneo de dependencias con Snyk (SCA)
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
continue-on-error: true

# ----------------------------------------------------
# JOB 2: Análisis de Infraestructura (Contenedores)
# ----------------------------------------------------
infrastructure-scans:
runs-on: ubuntu-latest
steps:
- name: Checkout del código
uses: actions/checkout@v4

- name: Configurar Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Construir Imagen Docker Local para pruebas
run: |
docker build -t nodegoat:local .

- name: Escaneo de Seguridad del Contenedor con Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: 'nodegoat:local'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'

- name: Subir resultados de Trivy a GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy'