backup-piepline

name: Security & Build Pipeline

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
  GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
  MONGO_URL: ${{ secrets.MONGO_URL }}
  SEMGREP_TOKEN: ${{ secrets.SEMGREP_TOKEN }}
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  GH_PAT: ${{ secrets.GH_PAT }}
  CLUSTER_NAME: cluster-1
  CLUSTER_ZONE: asia-south1-a
  APP_DOMAIN: "http://myapp.awsaparna123.xyz"
  FRONTEND_IMAGE: ${{ secrets.DOCKER_USERNAME }}/imdb-clone-frontend
  BACKEND_IMAGE: ${{ secrets.DOCKER_USERNAME }}/imdb-clone-backend

permissions:
  contents: read
  security-events: write
  actions: write

jobs:
  # Frontend Security Scans
  frontend-trufflehog:
    name: 🐷 Frontend TruffleHog
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Frontend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-frontend
          token: ${{ secrets.GH_PAT }}
          fetch-depth: 0

      - name: TruffleHog Scan
        uses: trufflesecurity/trufflehog@v3.63.3
        continue-on-error: true
        with:
          path: .
          base: ${{ github.event.before }}
          head: ${{ github.sha }}
          extra_args: --json --output trufflehog-frontend-report.json

      - name: Upload TruffleHog Results
        uses: actions/upload-artifact@v4
        with:
          name: frontend-trufflehog-report
          path: trufflehog-frontend-report.json
          retention-days: 30

  frontend-semgrep:
    name: 🔍 Frontend Semgrep
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Frontend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-frontend
          token: ${{ secrets.GH_PAT }}
          fetch-depth: 0

      - name: Semgrep Scan
        uses: semgrep/semgrep-action@v1
        continue-on-error: true
        with:
          config: p/javascript
          output: semgrep-frontend-results.json
          json: true

      - name: Upload Semgrep Results
        uses: actions/upload-artifact@v4
        with:
          name: frontend-semgrep-report
          path: semgrep-frontend-results.json
          retention-days: 30

  frontend-snyk:
    name: 🛡️ Frontend Snyk
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Frontend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-frontend
          token: ${{ secrets.GH_PAT }}

      - name: Snyk Scan
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: test --json > snyk-frontend-report.json

      - name: Upload Snyk Results
        uses: actions/upload-artifact@v4
        with:
          name: frontend-snyk-report
          path: snyk-frontend-report.json
          retention-days: 30

  frontend-checkov:
    name: 🏗️ Frontend Checkov
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Frontend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-frontend
          token: ${{ secrets.GH_PAT }}

      - name: Checkov Scan
        uses: bridgecrewio/checkov-action@v12
        continue-on-error: true
        with:
          directory: .
          framework: dockerfile,kubernetes,secrets
          output: json
          output-file-path: checkov-frontend-report.json

      - name: Upload Checkov Results
        uses: actions/upload-artifact@v4
        with:
          name: frontend-checkov-report
          path: checkov-frontend-report.json
          retention-days: 30

  frontend-trivy:
    name: 🔒 Frontend Trivy
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Frontend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-frontend
          token: ${{ secrets.GH_PAT }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        continue-on-error: true
        with:
          scan-type: 'fs'
          format: 'json'
          output: 'trivy-frontend-report.json'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Upload Trivy Results
        uses: actions/upload-artifact@v4
        with:
          name: frontend-trivy-report
          path: trivy-frontend-report.json
          retention-days: 30

  # Backend Security Scans
  backend-trufflehog:
    name: 🐷 Backend TruffleHog
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Backend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-backend
          token: ${{ secrets.GH_PAT }}
          fetch-depth: 0

      - name: TruffleHog Scan
        uses: trufflesecurity/trufflehog@v3.63.3
        continue-on-error: true
        with:
          path: .
          base: ${{ github.event.before }}
          head: ${{ github.sha }}
          extra_args: --json --output trufflehog-backend-report.json

      - name: Upload TruffleHog Results
        uses: actions/upload-artifact@v4
        with:
          name: backend-trufflehog-report
          path: trufflehog-backend-report.json
          retention-days: 30

  backend-semgrep:
    name: 🔍 Backend Semgrep
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Backend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-backend
          token: ${{ secrets.GH_PAT }}
          fetch-depth: 0

      - name: Semgrep Scan
        uses: semgrep/semgrep-action@v1
        continue-on-error: true
        with:
          config: p/javascript
          output: semgrep-backend-results.json
          json: true

      - name: Upload Semgrep Results
        uses: actions/upload-artifact@v4
        with:
          name: backend-semgrep-report
          path: semgrep-backend-results.json
          retention-days: 30

  backend-snyk:
    name: 🛡️ Backend Snyk
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Backend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-backend
          token: ${{ secrets.GH_PAT }}

      - name: Snyk Scan
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: test --json > snyk-backend-report.json

      - name: Upload Snyk Results
        uses: actions/upload-artifact@v4
        with:
          name: backend-snyk-report
          path: snyk-backend-report.json
          retention-days: 30

  backend-checkov:
    name: 🏗️ Backend Checkov
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Backend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-backend
          token: ${{ secrets.GH_PAT }}

      - name: Checkov Scan
        uses: bridgecrewio/checkov-action@v12
        continue-on-error: true
        with:
          directory: .
          framework: dockerfile,kubernetes,secrets
          output: json
          output-file-path: checkov-backend-report.json

      - name: Upload Checkov Results
        uses: actions/upload-artifact@v4
        with:
          name: backend-checkov-report
          path: checkov-backend-report.json
          retention-days: 30

  backend-trivy:
    name: 🔒 Backend Trivy
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Backend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-backend
          token: ${{ secrets.GH_PAT }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        continue-on-error: true
        with:
          scan-type: 'fs'
          format: 'json'
          output: 'trivy-backend-report.json'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Upload Trivy Results
        uses: actions/upload-artifact@v4
        with:
          name: backend-trivy-report
          path: trivy-backend-report.json
          retention-days: 30

  # Build Jobs
  frontend-build:
    needs: [frontend-trufflehog, frontend-semgrep, frontend-snyk, frontend-checkov, frontend-trivy]
    runs-on: ubuntu-latest
    outputs:
      image_tag: ${{ github.sha }}
    steps:
      - name: Checkout Frontend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-frontend
          token: ${{ secrets.GH_PAT }}

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '16'
          cache: 'npm'

      - name: Install Dependencies
        run: npm ci

      - name: Run Tests
        run: npm test
        continue-on-error: true

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build Frontend Image
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true
          tags: ${{ env.FRONTEND_IMAGE }}:${{ github.sha }}
          cache-from: type=registry,ref=${{ env.FRONTEND_IMAGE }}:latest
          cache-to: type=inline
          build-args: |
            NODE_ENV=production

      - name: Scan Frontend Image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.FRONTEND_IMAGE }}:${{ github.sha }}
          format: 'json'
          output: 'trivy-frontend-image-report.json'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Upload Trivy Image Scan Results
        uses: actions/upload-artifact@v4
        with:
          name: frontend-trivy-image-report
          path: trivy-frontend-image-report.json
          retention-days: 30

      - name: Push Frontend Image
        run: |
          docker push ${{ env.FRONTEND_IMAGE }}:${{ github.sha }}
          docker tag ${{ env.FRONTEND_IMAGE }}:${{ github.sha }} ${{ env.FRONTEND_IMAGE }}:latest
          docker push ${{ env.FRONTEND_IMAGE }}:latest

  backend-build:
    needs: [backend-trufflehog, backend-semgrep, backend-snyk, backend-checkov, backend-trivy]
    runs-on: ubuntu-latest
    outputs:
      image_tag: ${{ github.sha }}
    steps:
      - name: Checkout Backend Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-backend
          token: ${{ secrets.GH_PAT }}

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '16'
          cache: 'npm'

      - name: Install Dependencies
        run: npm ci

      - name: Run Tests
        run: npm test
        continue-on-error: true

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build Backend Image
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true
          tags: ${{ env.BACKEND_IMAGE }}:${{ github.sha }}
          cache-from: type=registry,ref=${{ env.BACKEND_IMAGE }}:latest
          cache-to: type=inline
          build-args: |
            NODE_ENV=production

      - name: Scan Backend Image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.BACKEND_IMAGE }}:${{ github.sha }}
          format: 'json'
          output: 'trivy-backend-image-report.json'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Upload Trivy Image Scan Results
        uses: actions/upload-artifact@v4
        with:
          name: backend-trivy-image-report
          path: trivy-backend-image-report.json
          retention-days: 30

      - name: Push Backend Image
        run: |
          docker push ${{ env.BACKEND_IMAGE }}:${{ github.sha }}
          docker tag ${{ env.BACKEND_IMAGE }}:${{ github.sha }} ${{ env.BACKEND_IMAGE }}:latest
          docker push ${{ env.BACKEND_IMAGE }}:latest

  deploy:
    needs: [frontend-build, backend-build]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Infrastructure Code
        uses: actions/checkout@v4
        with:
          repository: jai3747/imdb-clone-backend
          token: ${{ secrets.GH_PAT }}
          path: backend
          
      - name: Google Auth
        id: auth
        uses: google-github-actions/auth@v1
        with:
          credentials_json: '${{ secrets.GCP_SA_KEY }}'
          
      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v1
        
      - name: Install kubectl and gke-auth
        run: |
          gcloud components install kubectl gke-gcloud-auth-plugin
          gcloud --quiet auth configure-docker
          
      - name: Get GKE Credentials
        run: |
          gcloud container clusters get-credentials ${{ env.CLUSTER_NAME }} \
            --zone ${{ env.CLUSTER_ZONE }} \
            --project ${{ secrets.GCP_PROJECT_ID }}
            
      - name: Create Kubernetes Namespaces
        run: |
          kubectl create namespace mongodb --dry-run=client -o yaml | kubectl apply -f -
          kubectl create namespace backend --dry-run=client -o yaml | kubectl apply -f -
          kubectl create namespace frontend --dry-run=client -o yaml | kubectl apply -f -
          
      - name: Create Secrets
        run: |
          kubectl create secret generic mongodb-secret \
            --namespace mongodb \
            --from-literal=MONGO_URL="${{ secrets.MONGO_URL }}" \
            --dry-run=client -o yaml | kubectl apply -f -
          kubectl create secret generic backend-secret \
            --namespace backend \
            --from-literal=MONGO_URL="${{ secrets.MONGO_URL }}" \
            --dry-run=client -o yaml | kubectl apply -f -
            
      - name: Update Image Tags
        run: |
          cd backend
          sed -i "s|image: .*imdb-clone-backend.*|image: ${{ env.BACKEND_IMAGE }}:${{ needs.backend-build.outputs.image_tag }}|g" k8.yaml
          sed -i "s|image: .*imdb-clone-frontend.*|image: ${{ env.FRONTEND_IMAGE }}:${{ needs.frontend-build.outputs.image_tag }}|g" k8.yaml
          
      - name: Deploy Applications
        run: |
          cd backend
          
          kubectl apply -f k8.yaml --namespace backend
          
          
      - name: Wait for Deployments
        run: |
          kubectl rollout status statefulset/mongodb --namespace mongodb --timeout=5m
          kubectl wait --for=condition=ready pod -l app=mongodb --namespace backend --timeout=5m
          
          kubectl rollout status deployment/backend-deployment --namespace backend --timeout=5m
          kubectl wait --for=condition=ready pod -l app=backend --namespace backend --timeout=5m
          
          kubectl rollout status deployment/frontend-deployment --namespace backend --timeout=5m
          kubectl wait --for=condition=ready pod -l app=frontend --namespace backend --timeout=5m
          
      - name: Verify Deployment
        run: |
          # echo "=== MongoDB Status ==="
          # kubectl get all -n mongodb
          echo "=== Backend Status ==="
          kubectl get all -n backend
          # echo "=== Frontend Status ==="
          # kubectl get all -n frontend

  # DAST Scanning
  dast-scan:
    needs: [deploy]
    runs-on: ubuntu-latest
    steps:
      - name: Health Check
        run: |
          timeout=300
          start_time=$(date +%s)
          while true; do
            current_time=$(date +%s)
            elapsed=$((current_time - start_time))
            if [ $elapsed -gt $timeout ]; then
              echo "Timeout waiting for deployment"
              exit 1
            fi
            if curl -s -f "${{ env.APP_DOMAIN }}/health" >/dev/null; then
              echo "Service is up!"
              break
            fi
            echo "Waiting for service to be available..."
            sleep 10
          done

      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.9.0
        continue-on-error: true
        with:
          target: ${{ env.APP_DOMAIN }}
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a -j -I'
          allow_issue_writing: true

      - name: Run Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
        continue-on-error: true
        with:
          target: ${{ env.APP_DOMAIN }}
          templates: "cves,vulnerabilities,exposures,misconfiguration"
          severity: "critical,high,medium"
          output: "nuclei-output.txt"
          rate-limit: 150
          bulk-size: 25
          retry-on-failure: true

  # Report Aggregation
  security-report:
    needs: [dast-scan]
    runs-on: ubuntu-latest
    if: always()
    steps:
      - name: Download All Artifacts
        uses: actions/download-artifact@v4
        with:
          path: security-reports
          pattern: '*-report*'
          merge-multiple: true

      - name: Generate Security Dashboard
        run: |
          echo "# Security Scan Results" > security-dashboard.md
          echo "## Summary of Findings" >> security-dashboard.md
          
          # Process ZAP results
          if [ -f "security-reports/zap-report.json" ]; then
            echo "### ZAP Scan Results" >> security-dashboard.md
            jq -r '.site[0].alerts[] | "- " + .name + " (Risk: " + .risk + ")"' security-reports/zap-report.json >> security-dashboard.md
          fi
          
          # Process Nuclei results
          if [ -f "security-reports/nuclei-output.txt" ]; then
            echo "### Nuclei Scan Results" >> security-dashboard.md
            echo "\`\`\`" >> security-dashboard.md
            cat security-reports/nuclei-output.txt >> security-dashboard.md
            echo "\`\`\`" >> security-dashboard.md
          fi
          
          # Process Trivy results
          if [ -f "security-reports/trivy-frontend-image-report.json" ]; then
            echo "### Trivy Frontend Image Scan Results" >> security-dashboard.md
            jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities[] | select(.Severity == "CRITICAL" or .Severity == "HIGH") | "- " + .VulnerabilityID + " (" + .Severity + "): " + .Title' security-reports/trivy-frontend-image-report.json >> security-dashboard.md
          fi

      - name: Upload Security Dashboard
        uses: actions/upload-artifact@v4
        with:
          name: security-dashboard
          path: security-dashboard.md
          retention-days: 30

      - name: Notify on Critical Findings
        if: failure()
        run: |
          echo "Critical security issues found in the scan!"
          echo "Please review the security dashboard for details."
          exit 1