Phase 3 — CI/CD Security
Overview
All security scans are integrated into the GitHub Actions CI pipeline. Every Pull Request targeting main must pass all security checks before it can be merged.
PR Security Pipeline
The pr-checks.yml workflow runs three jobs on every Pull Request:
The build-verify job only runs if both secret-scan and dependency-scan pass.
Jobs
1. secret-scan Gitleaks
Scans the full git history for accidentally committed secrets. Fails immediately if any secret is detected, blocking the PR.
- name: Gitleaks Secret Scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2. dependency-scan Trivy
Scans package-lock.json for HIGH and CRITICAL CVEs in npm dependencies. Fails if any vulnerability of HIGH or CRITICAL severity is found.
- name: Trivy Dependency Scan
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
scanners: vuln
severity: HIGH,CRITICAL
exit-code: 1
3. build-verify SonarQube + Build
Runs only after the two security scans pass. Performs a full SonarQube analysis and waits for the Quality Gate result. If the Quality Gate fails, the build step is skipped and the PR is blocked.
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@v5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
args: >
-Dsonar.projectKey=aliquest-frontend
-Dsonar.qualitygate.wait=true
Required GitHub Secrets
The following secrets must be configured in each repository under Settings → Secrets and variables → Actions:
| Secret | Description | Who sets it |
|---|---|---|
SONAR_TOKEN |
SonarQube Global Analysis Token | Security team |
SONAR_HOST_URL |
SonarQube server URL (https://sonar.aliquest.me) |
Security team |
GITHUB_TOKEN |
Automatically provided by GitHub Actions | Automatic |
Branch Protection
The main branch is protected and requires:
- All PR check jobs to pass before merging
- At least one code review approval
- No direct pushes to
main - Pull Requests only via feature/fix/chore branches