@greenarmor/ges-cicd-generator 1.5.5 → 1.5.6

package/dist/index.d.ts

@@ -3,9 +3,56 @@ export interface WorkflowFile {
     filePath: string;
     content: string;
 }
+/**
+ * Compliance Gate Workflow
+ *
+ * GESF's SUPREME authority — its 9 built-in scanners are unique (no
+ * external tool provides them): secrets, crypto, code-security, auth,
+ * config, database, IaC, governance, injection.
+ *
+ * Gate behavior: `ges audit --ci` exits non-zero on critical findings.
+ */
 export declare function generateComplianceWorkflow(config: ProjectConfig): WorkflowFile;
-export declare function generateSecurityWorkflow(config: ProjectConfig): WorkflowFile;
-export declare function generateDependencyScanWorkflow(config: ProjectConfig): WorkflowFile;
-export declare function generateSecretScanWorkflow(config: ProjectConfig): WorkflowFile;
-export declare function generateSbomWorkflow(config: ProjectConfig): WorkflowFile;
+/**
+ * Security Gate Workflow (Semgrep SAST)
+ *
+ * Uses the maintained Semgrep GitHub Action for SAST scanning with
+ * native GitHub integration (Security tab, PR annotations).
+ *
+ * Gate behavior: Semgrep exits non-zero on blocking findings.
+ */
+export declare function generateSecurityWorkflow(_config: ProjectConfig): WorkflowFile;
+/**
+ * Dependency Gate Workflow (Trivy + audit)
+ *
+ * Trivy filesystem scan is the primary gate (reliable exit codes).
+ * Package-manager audit is supplementary (continue-on-error) because
+ * pnpm audit exit codes are inconsistent across versions.
+ *
+ * Auto-detects npm, pnpm, or yarn via lockfile presence.
+ */
+export declare function generateDependencyScanWorkflow(_config: ProjectConfig): WorkflowFile;
+/**
+ * Secret Gate Workflow (Gitleaks)
+ *
+ * Uses the maintained Gitleaks GitHub Action to scan full git history.
+ *
+ * Gate behavior: Gitleaks exits non-zero on any secret detected.
+ */
+export declare function generateSecretScanWorkflow(_config: ProjectConfig): WorkflowFile;
+/**
+ * SBOM & Infrastructure Gate Workflow
+ *
+ * Three layers of supply chain scanning:
+ *   1. Filesystem SBOM (Syft + Grype) — always runs, scans source deps
+ *   2. Container image scan (Trivy) — runs when Dockerfile present
+ *   3. IaC config scan (Trivy) — runs when K8s/Docker/Terraform files present
+ *
+ * Critical for Docker/Kubernetes projects: container images bundle OS-level
+ * packages (apt, apk, yum) that filesystem-only scans completely miss.
+ *
+ * Gate behavior: Grype fails on HIGH+ vulns. Trivy image scan fails on
+ * CRITICAL/HIGH. Trivy config scan fails on misconfigurations.
+ */
+export declare function generateSbomWorkflow(_config: ProjectConfig): WorkflowFile;
 export declare function generateAllWorkflows(config: ProjectConfig): WorkflowFile[];

package/dist/index.js

@@ -1,30 +1,84 @@
+import { GESF_VERSION } from "@greenarmor/ges-core";
 import * as path from "node:path";
+function gesfInitStep(config) {
+    const frameworks = config?.frameworks?.length
+        ? config.frameworks.join(",")
+        : "GDPR,OWASP,CIS,NIST";
+    const type = config?.project_type || "generic-web-application";
+    const country = config?.country || "US-CA";
+    const repoName = "${{ github.event.repository.name }}";
+    return `        run: ges init --name "${repoName}" --type "${type}" --frameworks "${frameworks}" --country "${country}" --force`;
+}
+function nodeSetupStep() {
+    return [
+        "      - name: Setup Node.js",
+        "        uses: actions/setup-node@v4",
+        "        with:",
+        "          node-version-file: '.nvmrc'",
+        "          node-version: '22'",
+    ].join("\n");
+}
+function gesfInstallStep() {
+    return [
+        "      - name: Install GESF",
+        `        run: npm install -g @greenarmor/ges@${GESF_VERSION}`,
+    ].join("\n");
+}
+const GATE_HEADER = `# ═══════════════════════════════════════════════════════════════
+# GESF Security Gate — blocks PR merges on failures.
+# To enable enforcement: Settings → Branches → Branch protection rules
+#   → Require status checks → add the job name below.
+# ═══════════════════════════════════════════════════════════════`;
+const ON_TRIGGER_DAILY = `on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 6 * * *'
+
+# Triggers on ALL branches and PRs. Branch protection rules
+# enforce the gate on the default branch (main/master/trunk/auto).`;
+const ON_TRIGGER_NOSCHEDULE = `on:
+  push:
+  pull_request:
+
+# Triggers on ALL branches and PRs. Branch protection rules
+# enforce the gate on the default branch (main/master/trunk/auto).`;
+const DEFAULT_BRANCH_COND = "github.ref == format('refs/heads/{0}', github.event.repository.default_branch)";
+/**
+ * Compliance Gate Workflow
+ *
+ * GESF's SUPREME authority — its 9 built-in scanners are unique (no
+ * external tool provides them): secrets, crypto, code-security, auth,
+ * config, database, IaC, governance, injection.
+ *
+ * Gate behavior: `ges audit --ci` exits non-zero on critical findings.
+ */
 export function generateComplianceWorkflow(config) {
     return {
         filePath: path.join(".github", "workflows", "compliance.yml"),
-        content: `name: Compliance Check
+        content: `name: Compliance Gate
 
-on:
-  push:
-    branches: [main, develop]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: '0 6 * * 1'
+${GATE_HEADER}
+
+${ON_TRIGGER_DAILY}
+
+permissions:
+  contents: write
+  pull-requests: read
 
 jobs:
   compliance:
+    name: GESF Compliance Gate
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
+${nodeSetupStep()}
 
-      - name: Install GESF
-        run: npm install -g @greenarmor/ges
+${gesfInstallStep()}
+
+      - name: Initialize GESF
+${gesfInitStep(config)}
 
       - name: Run Compliance Audit
         run: ges audit --ci
@@ -33,11 +87,11 @@ jobs:
         run: ges score --ci
 
       - name: Generate Compliance Badge
-        if: github.event_name != 'pull_request'
+        if: ${DEFAULT_BRANCH_COND}
         run: ges badge
 
       - name: Commit Compliance Badge
-        if: github.event_name != 'pull_request'
+        if: ${DEFAULT_BRANCH_COND}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
@@ -54,21 +108,26 @@ jobs:
 `,
     };
 }
-export function generateSecurityWorkflow(config) {
+/**
+ * Security Gate Workflow (Semgrep SAST)
+ *
+ * Uses the maintained Semgrep GitHub Action for SAST scanning with
+ * native GitHub integration (Security tab, PR annotations).
+ *
+ * Gate behavior: Semgrep exits non-zero on blocking findings.
+ */
+export function generateSecurityWorkflow(_config) {
     return {
         filePath: path.join(".github", "workflows", "security.yml"),
-        content: `name: Security Scan
+        content: `name: Security Gate (Semgrep)
 
-on:
-  push:
-    branches: [main, develop]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: '0 6 * * *'
+${GATE_HEADER}
+
+${ON_TRIGGER_DAILY}
 
 jobs:
-  security:
+  semgrep:
+    name: Semgrep SAST
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -77,35 +136,30 @@ jobs:
         uses: returntocorp/semgrep-action@v1
         with:
           config: auto
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-
-      - name: Install GESF
-        run: npm install -g @greenarmor/ges
-
-      - name: Run Security Scan
-        run: ges scan --ci
 `,
     };
 }
-export function generateDependencyScanWorkflow(config) {
+/**
+ * Dependency Gate Workflow (Trivy + audit)
+ *
+ * Trivy filesystem scan is the primary gate (reliable exit codes).
+ * Package-manager audit is supplementary (continue-on-error) because
+ * pnpm audit exit codes are inconsistent across versions.
+ *
+ * Auto-detects npm, pnpm, or yarn via lockfile presence.
+ */
+export function generateDependencyScanWorkflow(_config) {
     return {
         filePath: path.join(".github", "workflows", "dependency-scan.yml"),
-        content: `name: Dependency Scan
+        content: `name: Dependency Gate (Trivy)
 
-on:
-  push:
-    branches: [main, develop]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: '0 6 * * *'
+${GATE_HEADER}
+
+${ON_TRIGGER_DAILY}
 
 jobs:
   dependency-scan:
+    name: Trivy + Dependency Audit
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -116,34 +170,50 @@ jobs:
           scan-type: 'fs'
           scan-ref: '.'
           severity: 'CRITICAL,HIGH'
+          exit-code: '1'
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
+${nodeSetupStep()}
 
-      - name: Install dependencies
-        run: npm ci
+      - name: Setup pnpm
+        if: hashFiles('pnpm-lock.yaml') != ''
+        uses: pnpm/action-setup@v4
+
+      - name: Install and audit (pnpm)
+        if: hashFiles('pnpm-lock.yaml') != ''
+        run: pnpm install --frozen-lockfile && pnpm audit --audit-level=high
+        continue-on-error: true
 
-      - name: Run npm audit
-        run: npm audit --audit-level=high
+      - name: Install and audit (npm)
+        if: hashFiles('pnpm-lock.yaml') == '' && hashFiles('package-lock.json') != ''
+        run: npm ci && npm audit --audit-level=high
+        continue-on-error: true
+
+      - name: Install and audit (yarn)
+        if: hashFiles('pnpm-lock.yaml') == '' && hashFiles('package-lock.json') == '' && hashFiles('yarn.lock') != ''
+        run: yarn install --frozen-lockfile && yarn audit --level high
         continue-on-error: true
 `,
     };
 }
-export function generateSecretScanWorkflow(config) {
+/**
+ * Secret Gate Workflow (Gitleaks)
+ *
+ * Uses the maintained Gitleaks GitHub Action to scan full git history.
+ *
+ * Gate behavior: Gitleaks exits non-zero on any secret detected.
+ */
+export function generateSecretScanWorkflow(_config) {
     return {
         filePath: path.join(".github", "workflows", "secret-scan.yml"),
-        content: `name: Secret Scan
+        content: `name: Secret Gate (Gitleaks)
 
-on:
-  push:
-    branches: [main, develop]
-  pull_request:
-    branches: [main]
+${GATE_HEADER}
+
+${ON_TRIGGER_NOSCHEDULE}
 
 jobs:
   secret-scan:
+    name: Gitleaks
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -157,21 +227,36 @@ jobs:
 `,
     };
 }
-export function generateSbomWorkflow(config) {
+/**
+ * SBOM & Infrastructure Gate Workflow
+ *
+ * Three layers of supply chain scanning:
+ *   1. Filesystem SBOM (Syft + Grype) — always runs, scans source deps
+ *   2. Container image scan (Trivy) — runs when Dockerfile present
+ *   3. IaC config scan (Trivy) — runs when K8s/Docker/Terraform files present
+ *
+ * Critical for Docker/Kubernetes projects: container images bundle OS-level
+ * packages (apt, apk, yum) that filesystem-only scans completely miss.
+ *
+ * Gate behavior: Grype fails on HIGH+ vulns. Trivy image scan fails on
+ * CRITICAL/HIGH. Trivy config scan fails on misconfigurations.
+ */
+export function generateSbomWorkflow(_config) {
     return {
         filePath: path.join(".github", "workflows", "sbom-scan.yml"),
-        content: `name: SBOM Generation & Scan
+        content: `name: SBOM & Infrastructure Gate
 
-on:
-  push:
-    branches: [main, develop]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: '0 6 * * 1'
+# ═══════════════════════════════════════════════════════════════
+# Supply chain gate — SBOM generation + container/IaC scanning.
+# Especially critical for Docker/Kubernetes projects: catches
+# OS-level CVEs in base images that filesystem scans miss.
+# ═══════════════════════════════════════════════════════════════
+
+${ON_TRIGGER_DAILY}
 
 jobs:
   sbom:
+    name: Filesystem SBOM (Syft + Grype)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -182,32 +267,83 @@ jobs:
           image: ""
           path: .
           format: cyclonedx-json
-          output-file: sbom.json
+          output-file: sbom-filesystem.json
           fail-build: false
 
       - name: Scan SBOM for vulnerabilities with Grype
         uses: anchore/scan-action@v6
         with:
-          sbom: sbom.json
+          sbom: sbom-filesystem.json
           fail-build: true
           severity-cutoff: high
 
-      - name: Generate SBOM with Trivy
+      - name: Upload filesystem SBOM
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-filesystem
+          path: sbom-filesystem.json
+          retention-days: 90
+
+  container-scan:
+    name: Container Image Scan (Trivy)
+    runs-on: ubuntu-latest
+    # Auto-aware: only runs when a Dockerfile is present
+    if: hashFiles('Dockerfile', '**/Dockerfile', 'docker-compose.yml', 'docker-compose.yaml') != ''
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          load: true
+          tags: gesf-scan:latest
+
+      - name: Scan Docker image with Trivy
         uses: aquasecurity/trivy-action@master
         with:
-          scan-type: 'fs'
+          image-ref: gesf-scan:latest
+          format: 'sarif'
+          output: 'trivy-container.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Upload container scan results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: container-scan
+          path: trivy-container.sarif
+          retention-days: 90
+
+  iac-scan:
+    name: Infrastructure Config Scan (Trivy)
+    runs-on: ubuntu-latest
+    # Auto-aware: only runs when IaC files are present
+    if: hashFiles('k8s/**', 'kubernetes/**', 'helm/**', 'terraform/**', 'tf/**', '*.tf', '**/*.tf', 'docker-compose*.yml', 'docker-compose*.yaml') != ''
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Scan IaC configs with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
           scan-ref: '.'
-          format: 'cyclonedx'
-          output: 'trivy-sbom.json'
+          format: 'sarif'
+          output: 'trivy-iac.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
 
-      - name: Upload SBOM artifacts
+      - name: Upload IaC scan results
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: sbom-artifacts
-          path: |
-            sbom.json
-            trivy-sbom.json
+          name: iac-scan
+          path: trivy-iac.sarif
           retention-days: 90
 `,
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "dependencies": {
-    "@greenarmor/ges-core": "1.5.5"
+    "@greenarmor/ges-core": "1.5.6"
   },
   "description": "GESF CI/CD Generator - GitHub Actions workflow generation",
   "devDependencies": {
@@ -24,7 +24,7 @@
   "name": "@greenarmor/ges-cicd-generator",
   "type": "module",
   "types": "./dist/index.d.ts",
-  "version": "1.5.5",
+  "version": "1.5.6",
   "scripts": {
     "build": "tsc",
     "clean": "rm -rf dist tsconfig.tsbuildinfo",