Add sonarqube workflow #1

Workflow file for this run

.github/workflows/sonarqube.yaml at 7cc47cf

	name: Security Scan

	on:
	pull_request:
	schedule:
	- cron: '0 2 * * *' # Run daily at 2AM UTC
	workflow_dispatch:

	jobs:
	security-scan:
	name: Security Analysis
	runs-on: ubuntu-latest-l-s

	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

	# ----- Setup Python Virtual Environment -----
	- name: Setup Python Environment
	run: \|
	python3 -m venv security-env
	source security-env/bin/activate
	echo "VIRTUAL_ENV=$(pwd)/security-env" >> $GITHUB_ENV
	echo "$(pwd)/security-env/bin" >> $GITHUB_PATH

	# ----- Install security tooling -----
	- name: Install Bandit, Semgrep, Trivy
	run: \|
	source security-env/bin/activate
	pip install --disable-pip-version-check \
	bandit[sarif]==1.7.9 \
	semgrep==1.71.0
	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \| sh -s -- -b ./bin
	echo "$(pwd)/bin" >> $GITHUB_PATH

	# ----- Python SAST (if any Python files exist) -----
	- name: Bandit Security Scan
	run: \|
	source security-env/bin/activate
	if find . -name ".py" -not -path "./node_modules/" -not -path "./security-env/*" \| grep -q .; then
	bandit -r . -ll -ii -f sarif -o bandit.sarif --exclude ./node_modules,./security-env \|\| true
	else
	echo '{"version":"2.1.0","runs":[]}' > bandit.sarif
	fi
	continue-on-error: true

	# ----- Security rules (multi-language) -----
	- name: Semgrep Security Scan
	run: \|
	source security-env/bin/activate
	semgrep ci --config p/ci --sarif --output semgrep.sarif \|\| true

	# ----- Dependency and config scans -----
	- name: Trivy FileSystem Scan
	run: \|
	trivy fs . --exit-code 0 --severity HIGH,CRITICAL --format sarif --output trivy-fs.sarif --timeout 10m --scanners vuln \|\| echo '{"version":"2.1.0","runs":[]}' > trivy-fs.sarif
	continue-on-error: true
	timeout-minutes: 12

	- name: Trivy Config Scan
	run: \|
	trivy config . --exit-code 0 --severity HIGH,CRITICAL --format sarif --output trivy-config.sarif --timeout 5m \|\| echo '{"version":"2.1.0","runs":[]}' > trivy-config.sarif
	continue-on-error: true
	timeout-minutes: 6

	# ----- SonarQube Analysis -----
	- name: SonarQube Scan
	uses: SonarSource/sonarqube-scan-action@v5
	env:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_APP }}
	SONAR_HOST_URL: http://sonarqube.tokenmetrics.com
	with:
	args: \|
	-Dsonar.sarifReportPaths=bandit.sarif,semgrep.sarif,trivy-fs.sarif,trivy-config.sarif
	-Dsonar.projectKey=tmai-api-sdk-typescript
	-Dsonar.projectName=tmai-api-sdk-typescript
	-Dsonar.projectVersion=${{ github.sha }}
	-Dsonar.sources=src,examples
	-Dsonar.typescript.lcov.reportPaths=coverage/lcov.info
	-Dsonar.typescript.tsconfigPath=tsconfig.json
	-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
	-Dsonar.javascript.node.maxspace=4096
	-Dsonar.security.sources.javascriptsecurity=true
	-Dsonar.exclusions=/node_modules/,/.git/,/dist/,/build/,/coverage/,/.nyc_output/,/docs/,*/.d.ts,/package-lock.json,/.github/,/.config.js,/.config.ts,/typedoc.json,/.eslintrc.json,/.gitignore,/LICENSE,/README.md,/example.env
	-Dsonar.test.inclusions=test/*/.test.ts,test/*/.spec.ts
	-Dsonar.test.exclusions=/node_modules/,/dist/,/coverage/
	-Dsonar.coverage.exclusions=test/,/node_modules/,/dist/,/coverage/,/docs/,/.config.js,/.config.ts,examples/**
	-Dsonar.cpd.exclusions=/node_modules/,/dist/,/coverage/,/docs/
	-Dsonar.qualitygate.wait=true

	# ----- Quality Gate Check -----
	- name: SonarQube Quality Gate
	uses: SonarSource/sonarqube-quality-gate-action@v1
	id: sonarqube-quality-gate
	timeout-minutes: 5
	env:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_APP }}
	SONAR_HOST_URL: http://sonarqube.tokenmetrics.com

	# ----- Security Report Summary -----
	- name: Security Report Summary
	run: \|
	echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY
	echo "### Tools Used:" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ Bandit (Python)" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ Semgrep (Multi-language)" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ Trivy (Dependencies & Config)" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ SonarQube (Comprehensive Analysis)" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "### Results:" >> $GITHUB_STEP_SUMMARY
	echo "- SonarQube Quality Gate: ${{ steps.sonarqube-quality-gate.outputs.status }}" >> $GITHUB_STEP_SUMMARY
	echo "- Security vulnerabilities will be reported in SonarQube dashboard" >> $GITHUB_STEP_SUMMARY
	echo "- View detailed results at: http://sonarqube.tokenmetrics.com/dashboard?id=tmai-api-sdk-typescript" >> $GITHUB_STEP_SUMMARY

	# ----- Cleanup Virtual Environment -----
	- name: Cleanup
	if: always()
	run: \|
	rm -rf security-env

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add sonarqube workflow #1

Workflow file

Add sonarqube workflow #1

Uh oh!

Jobs

Run details

Workflow file for this run