chore: enhance security workflows and dependency management

Author: botshelomokoka

.github/workflows/dependency-updates.yml

@@ -5,91 +5,53 @@ on:
     - cron: '0 0 * * 1'  # Run weekly on Monday
   workflow_dispatch:  # Allow manual trigger
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
-  update-dependencies:
+  dependency-update:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
-    
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 'lts/*'
-          cache: 'npm'
+      - uses: actions/checkout@v4
 
-      - name: Check for npm updates
-        id: npm-check
+      # Rust dependencies
+      - name: Update Rust dependencies
         run: |
-          npm install -g npm-check-updates
-          ncu --upgrade
-          if [[ $(git status --porcelain) ]]; then
-            echo "updates_available=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Create Pull Request for npm
-        if: steps.npm-check.outputs.updates_available == 'true'
-        uses: peter-evans/create-pull-request@v5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: "chore(deps): Update npm dependencies"
-          title: "chore(deps): Update npm dependencies"
-          body: "Automated dependency updates"
-          branch: "deps/npm-updates"
-          labels: "dependencies,automated pr"
-
-      - name: Setup Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.x'
-          cache: 'pip'
+          cargo install cargo-edit
+          cargo upgrade --workspace
 
-      - name: Check for pip updates
-        id: pip-check
+      # NPM dependencies
+      - name: Update NPM dependencies
         run: |
-          pip install pip-review
-          pip-review --auto
-          if [[ $(git status --porcelain) ]]; then
-            echo "updates_available=true" >> $GITHUB_OUTPUT
+          if [ -f package.json ]; then
+            npm update
+            npm audit fix
           fi
 
-      - name: Create Pull Request for pip
-        if: steps.pip-check.outputs.updates_available == 'true'
-        uses: peter-evans/create-pull-request@v5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: "chore(deps): Update pip dependencies"
-          title: "chore(deps): Update pip dependencies"
-          body: "Automated dependency updates"
-          branch: "deps/pip-updates"
-          labels: "dependencies,automated pr"
-
-      - name: Setup Rust
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-
-      - name: Check for Cargo updates
-        id: cargo-check
+      # Python dependencies
+      - name: Update Python dependencies
         run: |
-          cargo update
-          if [[ $(git status --porcelain) ]]; then
-            echo "updates_available=true" >> $GITHUB_OUTPUT
+          if [ -f requirements.txt ]; then
+            pip install pip-tools
+            pip-compile --upgrade requirements.in
           fi
 
-      - name: Create Pull Request for Cargo
-        if: steps.cargo-check.outputs.updates_available == 'true'
+      # Create Pull Request
+      - name: Create Pull Request
         uses: peter-evans/create-pull-request@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: "chore(deps): Update Cargo dependencies"
-          title: "chore(deps): Update Cargo dependencies"
-          body: "Automated dependency updates"
-          branch: "deps/cargo-updates"
-          labels: "dependencies,automated pr"
+          commit-message: "chore(deps): Update dependencies"
+          title: "chore(deps): Update dependencies"
+          body: |
+            Automated dependency updates
+            
+            This PR updates dependencies to their latest versions and includes security fixes.
+            
+            Please review the changes carefully before merging.
+          branch: "deps/update-dependencies"
+          base: "main"
+          labels: "dependencies,security"
+          reviewers: "${{ github.repository_owner }}"
+          delete-branch: true

.github/workflows/security-scan.yml

@@ -26,118 +26,45 @@ jobs:
 
       # CodeQL Analysis
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: python, javascript, rust
           queries: security-extended,security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:python /language:javascript /language:rust"
 
-      # Dependency Scanning
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --severity-threshold=high
+      # Dependency Review
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v3
+        if: github.event_name == 'pull_request'
 
-      # Secret Scanning
-      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@main
+      # Rust Security Audit
+      - name: Run Rust Audit
+        uses: actions-rs/audit-check@v1
         with:
-          path: ./
-          base: ${{ github.event.repository.default_branch }}
-          head: HEAD
-          extra_args: --debug --only-verified
+          token: ${{ secrets.GITHUB_TOKEN }}
 
-      # Container Scanning
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
+      # NPM Audit
+      - name: Run npm audit
+        run: |
+          if [ -f package.json ]; then
+            npm audit
+          fi
 
-      # SAST
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      # Python dependency check
+      - name: Run pip audit
+        run: |
+          if [ -f requirements.txt ]; then
+            python -m pip install pip-audit
+            pip-audit
+          fi
 
-      # Security Report Generation
-      - name: Generate Security Report
+      # SARIF upload
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const fs = require('fs');
-            
-            const report = `## Security Scan Report
-            
-            ### 🔍 Scan Summary
-            - CodeQL Analysis: ${{ job.status }}
-            - Dependency Scan: ${{ steps.snyk.outcome }}
-            - Secret Scan: ${{ steps.trufflehog.outcome }}
-            - Container Scan: ${{ steps.trivy.outcome }}
-            - SAST Analysis: ${{ steps.sonarcloud.outcome }}
-            
-            ### 🚨 Critical Findings
-            ${fs.existsSync('trivy-results.json') ? require('./trivy-results.json').filter(f => f.Severity === 'CRITICAL').map(f => `- ${f.VulnerabilityID}: ${f.Title}`).join('\n') : 'No critical findings'}
-            
-            ### 📊 Metrics
-            - Code Coverage: ${fs.existsSync('sonar-results.json') ? require('./sonar-results.json').coverage : 'N/A'}
-            - Security Rating: ${fs.existsSync('sonar-results.json') ? require('./sonar-results.json').securityRating : 'N/A'}
-            
-            ### 🔐 Recommendations
-            1. Review all critical and high severity findings
-            2. Update vulnerable dependencies
-            3. Address any identified secrets or credentials
-            `;
-            
-            // Create/update security report issue
-            const { data: issues } = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              labels: ['security-report'],
-              state: 'open'
-            });
-            
-            if (issues.length > 0) {
-              await github.rest.issues.update({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: issues[0].number,
-                body: report
-              });
-            } else {
-              await github.rest.issues.create({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                title: 'Security Scan Report',
-                body: report,
-                labels: ['security-report']
-              });
-            }
-
-      # Notify on Critical Issues
-      - name: Notify Security Team
-        if: failure()
-        uses: actions/github-script@v6
         with:
-          script: |
-            const message = `🚨 Critical security issues found in the latest scan!
-            Please review the security report immediately.`;
-            
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              body: message
-            });
+          sarif_file: results.sarif