feat: add npm packages check and rename other github actions

.github/workflows/coverage.yml → .github/workflows/coverage-integration-tests.yml

@@ -1,4 +1,4 @@
-name: Coverage
+name: Coverage Integration tests
 
 on:
   workflow_dispatch:
@@ -8,7 +8,7 @@ on:
     - release/*
 
 jobs:
-  run-tests:
+  run-integration-tests:
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -34,5 +34,5 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'
-      - name: coverage
+      - name: coverage-integration-tests
         run: make coverage

.github/workflows/eslint.yml

@@ -0,0 +1,36 @@
+name: Run eslint
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+    - release/*
+
+permissions:
+  contents: read
+
+jobs:
+  es-lint:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [16.x]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache-dependency-path: |
+            ./frontend/package-lock.json
+            ./frontend/package.json
+      - run: npm install
+        working-directory: frontend
+      - run: npm run lint
+        working-directory: frontend

.github/workflows/static-checking.yml → .github/workflows/lint.yml

@@ -1,4 +1,4 @@
-name: Static Checking
+name: Run Lint
 
 on:
   workflow_dispatch:
@@ -8,8 +8,7 @@ on:
       - release/*
 
 jobs:
-  Check:
-
+  lint:
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -26,5 +25,6 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           python -m pip install isort
+          python -m pip install flake8
       - name: Lint
-        run: make lint
+        run: python -m flake8 --exclude cdk.out,blueprints --ignore E402,E501,F841,W503,F405,F403,F401,E712,E203 backend/

.github/workflows/npm-audit.yml

@@ -0,0 +1,36 @@
+name: Run npm-audit
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+    - release/*
+
+permissions:
+  contents: read
+
+jobs:
+  npm-audit:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [16.x]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache-dependency-path: |
+            ./frontend/package-lock.json
+            ./frontend/package.json
+      - run: npm ci
+        working-directory: frontend
+      - run: npm run audit
+        working-directory: frontend

.github/workflows/semgrep-schedule.yml

@@ -0,0 +1,35 @@
+name: Run Semgrep-full
+
+on:
+  workflow_dispatch:
+    branches:
+      - main
+  schedule:
+    - cron:  '0 1 * * 2'
+
+permissions:
+  contents: read
+
+jobs:
+  semgrep-full:
+    runs-on: ubuntu-latest
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: returntocorp/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci --verbose --metrics=off --sarif --output=semgrep.sarif
+        env:
+           # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
+           SEMGREP_RULES: p/default # more at semgrep.dev/explore
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep.sarif
+        if: always()

.github/workflows/semgrep.yml

@@ -0,0 +1,34 @@
+name: Run Semgrep
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+    - release/*
+
+permissions:
+  contents: read
+
+jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: returntocorp/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: semgrep scan --error --verbose --metrics=off
+        env:
+           # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
+           SEMGREP_RULES: p/default # more at semgrep.dev/explore

.github/workflows/validate-db-schema.yml

@@ -12,7 +12,7 @@ env:
   schema_name: validation
 
 jobs:
-  run-tests:
+  validate-migrations:
     runs-on: ubuntu-latest
     strategy:
       matrix:

.semgrepignore

@@ -0,0 +1,29 @@
+# Items added to this file will be ignored by Semgrep.
+#
+# This file uses .gitignore syntax:
+#
+# To ignore a file anywhere it occurs in your project, enter a
+# glob pattern here. E.g. "*.min.js".
+#
+# To ignore a directory anywhere it occurs in your project, add
+# a trailing slash to the file name. E.g. "dist/".
+#
+# To ignore a file or directory only relative to the project root,
+# include a slash anywhere except the last character. E.g.
+# "/dist/", or "src/generated".
+#
+# Some parts of .gitignore syntax are not supported, and patterns
+# using this syntax will be dropped from the ignore list:
+# - Explicit "include syntax", e.g. "!kept/".
+# - Multi-character expansion syntax, e.g. "*.py[cod]"
+# To include ignore patterns from another file, start a line
+# with ':include', followed by the path of the file. E.g.
+# ":include path/to/other/ignore/file".
+# UPDATE: this will not be be needed in osemgrep which supports
+# all of the .gitignore syntax (!kept/, *.py[cod])
+#
+# To ignore a file with a literal ':' character, escape it with
+# a backslash, e.g. "\:foo".
+
+/backend/local.cdkapi.server.py
+/backend/local.graphql.server.py

deploy/stacks/solution_bundling.py

@@ -20,12 +20,12 @@ def try_bundle(self, output_dir: str, options: BundlingOptions) -> bool:
         subprocess.check_output(
             command,
             stderr=subprocess.STDOUT,
-            shell=True,
+            shell=True, #nosec
         )
 
         ls_output = subprocess.check_output(
             [f'ls -ll {output_dir}'],
             stderr=subprocess.STDOUT,
-            shell=True,
+            shell=True, #nosec
         )
         return True

frontend/docker/dev/Dockerfile

@@ -15,11 +15,9 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_VERSION/install.s
 RUN . ~/.nvm/nvm.sh && nvm install node
 RUN echo '. ~/.nvm/nvm.sh' >>  ~/.bashrc
 
-RUN . ~/.nvm/nvm.sh && npm install -g npm yarn
+COPY package.json package-lock.json ./
 
-COPY package.json yarn.lock ./
-
-RUN . ~/.nvm/nvm.sh && yarn install
+RUN . ~/.nvm/nvm.sh && npm install && npm clean cache --force
 
 ENV PATH="./node_modules/.bin:$PATH"
 
@@ -31,7 +29,7 @@ RUN cp /etc/nginx/nginx.template /etc/nginx/nginx.conf
 
 COPY . ./
 
-RUN . ~/.nvm/nvm.sh && yarn build
+RUN . ~/.nvm/nvm.sh && npm build
 
 RUN cp -a build/. /usr/share/nginx/html/
 

frontend/docker/prod/Dockerfile

@@ -17,11 +17,9 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_VERSION/install.s
 RUN . ~/.nvm/nvm.sh && nvm install node
 RUN echo '. ~/.nvm/nvm.sh' >>  ~/.bashrc
 
-RUN . ~/.nvm/nvm.sh && npm install -g npm yarn
+COPY package.json package-lock.json ./
 
-COPY package.json yarn.lock ./
-
-RUN . ~/.nvm/nvm.sh && yarn install
+RUN . ~/.nvm/nvm.sh && npm ci --production && npm clean cache --force
 
 ENV PATH="./node_modules/.bin:$PATH"