feat(audit): audit (#780)

au-heartbeat · Dec 6, 2023 · 7d0ea24 · 7d0ea24
2 parents ffba690 + 7771c16
commit 7d0ea24
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 54 deletions.
diff --git a/.github/workflows/BuildAndDeploy.yml b/.github/workflows/BuildAndDeploy.yml
@@ -2,9 +2,9 @@ name: Build and Deploy
 
 on:
   push:
-    branches: [ "*" ]
+    branches: ["*"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
   workflow_dispatch:
 
 jobs:
@@ -16,7 +16,7 @@ jobs:
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master
         with:
-          scandir: './ops'
+          scandir: "./ops"
 
   fossa-check:
     runs-on: ubuntu-latest
@@ -62,19 +62,19 @@ jobs:
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
         with:
-          scan-type: 'fs'
+          scan-type: "fs"
           ignore-unfixed: true
-          exit-code: '1'
-          severity: 'CRITICAL'
+          exit-code: "1"
+          severity: "CRITICAL"
           trivyignores: .trivyignore
 
       - name: Run Trivy vulnerability scanner in IaC mode
         uses: aquasecurity/trivy-action@master
         with:
-          scan-type: 'config'
-          exit-code: '1'
+          scan-type: "config"
+          exit-code: "1"
           ignore-unfixed: true
-          severity: 'CRITICAL'
+          severity: "CRITICAL"
           trivyignores: .trivyignore
   backend-check:
     runs-on: ubuntu-latest
@@ -140,6 +140,8 @@ jobs:
           npm install -g pnpm
           pnpm install --no-frozen-lockfile
           pnpm lint
+      - name: Audit for vulnerabilities
+        run: pnpm dlx audit-ci@^6 --critical --report-type full
       - name: Testing and coverage
         run: |
           pnpm coverage
@@ -241,11 +243,11 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ steps.login-ecr.outputs.registry }}/heartbeat_backend:latest
-          format: 'table'
-          exit-code: '1'
+          format: "table"
+          exit-code: "1"
           ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-          trivyignores: '.trivyignore'
+          severity: "CRITICAL,HIGH"
+          trivyignores: ".trivyignore"
       # - name: Push for Backend
       #   env:
       #     REGISTRY: ${{ steps.login-ecr.outputs.registry }}
@@ -290,11 +292,11 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ steps.login-ecr.outputs.registry }}/heartbeat_frontend:latest
-          format: 'table'
-          exit-code: '1'
+          format: "table"
+          exit-code: "1"
           ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-          trivyignores: '.trivyignore'
+          severity: "CRITICAL,HIGH"
+          trivyignores: ".trivyignore"
 
       # - name: Push for Frontend
       #   env:
@@ -341,11 +343,11 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ steps.login-ecr.outputs.registry }}/heartbeat_stub:latest
-          format: 'table'
-          exit-code: '1'
+          format: "table"
+          exit-code: "1"
           ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-          trivyignores: '.trivyignore'
+          severity: "CRITICAL,HIGH"
+          trivyignores: ".trivyignore"
 
       # - name: Push for MockServer
       #   if: ${{ contains(github.event.head_commit.message, '[stub]') }}
@@ -517,4 +519,3 @@ jobs:
       #       docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}/heartbeat_backend:$IMAGE_TAG
       #       docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_HOST }}/heartbeat_frontend:$IMAGE_TAG
       #       docker-compose up -d frontend
-
diff --git a/frontend/.husky/pre-push b/frontend/.husky/pre-push
@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
-cd frontend && npm run coverage
+cd frontend && npm run audit && npm run coverage
 cd ../backend && ./gradlew clean check
diff --git a/frontend/.license-compliance.json b/frontend/.license-compliance.json
@@ -0,0 +1,17 @@
+{
+  "allowed": [
+    "UNKNOWN",
+    "Unlicense",
+    "MIT",
+    "ISC",
+    "0BSD",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "Apache-2.0",
+    "Python-2.0",
+    "CC-BY-4.0",
+    "CC-BY-3.0",
+    "WTFPL",
+    "CC0-1.0"
+  ]
+}
diff --git a/frontend/audit-ci.jsonc b/frontend/audit-ci.jsonc
@@ -0,0 +1,6 @@
+{
+  // $schema provides code completion hints to IDEs.
+  "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+  "moderate": true,
+  "allowlist": ["@adobe/css-tools"]
+}
diff --git a/frontend/package.json b/frontend/package.json
@@ -11,12 +11,13 @@
     "preview": "vite preview",
     "lint": "eslint -c .eslintrc.json ./ && prettier --check ./",
     "fix": "eslint -c .eslintrc.json --fix && npx prettier --write . --ignore-unknown",
+    "audit": "npx audit-ci@^6 --config ./audit-ci.jsonc",
     "test": "jest",
     "coverage": "jest --env=jsdom --watchAll=false --coverage",
     "e2e:open": "TZ='PRC' cypress open",
     "e2e": "TZ='PRC' cypress run --spec cypress/",
     "prepare": "cd .. && husky install frontend/.husky",
-    "license-compliance": "license-compliance -r detailed --allow='Unlicense;MIT;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC-BY-4.0;CC-BY-3.0;WTFPL;CC0-1.0'"
+    "license-compliance": "license-compliance -r detailed"
   },
   "lint-staged": {
     "**/*": [
@@ -55,6 +56,7 @@
     "@typescript-eslint/eslint-plugin": "^5.57.1",
     "@typescript-eslint/parser": "^5.57.1",
     "@vitejs/plugin-react-swc": "^3.2.0",
+    "audit-ci": "^6.6.1",
     "autoprefixer": "^10.4.14",
     "cypress": "^13.6.0",
     "eslint": "^8.37.0",
@@ -70,7 +72,7 @@
     "identity-obj-proxy": "^3.0.0",
     "jest": "^29.7.0",
     "jest-environment-jsdom": "^29.5.0",
-    "license-compliance": "^1.2.5",
+    "license-compliance": "^2.0.1",
     "lint-staged": "^13.2.0",
     "msw": "^1.3.2",
     "prettier": "2.8.7",