Kenzo/Gallus_Pub
2
1
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

feat(woodpecker): enhance npm audit and Discord notification steps
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
- Refined npm audit process to generate detailed JSON and text outputs.
- Improved Discord notifications with comprehensive vulnerability details and formatting.
- Replaced `apt-get` with `apk` for faster lightweight image handling.
This commit is contained in:
Kenzo
2026-01-07 16:38:15 +01:00
parent c1fd535549
commit 4e2418116f
1 changed files with 127 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

245
.woodpecker.yml
View File

@ -1,160 +1,169 @@
steps: steps:
audit_dependencies: audit_dependencies:
image: node:20 image: node:20
commands:
- npm install --package-lock-only
- npm audit --audit-level=moderate --json > /tmp/audit-result.json 2>&1 || echo "Audit completed"
- npm audit --audit-level=moderate > /tmp/audit-output.txt 2>&1 || echo "Audit completed"
when:
- branch: main
event: push
discord_notify_audit:
image: alpine:latest
environment: environment:
DISCORD_WEBHOOK: DISCORD_WEBHOOK:
from_secret: discord_webhook from_secret: discord_webhook
commands: commands:
- apt-get update && apt-get install -y jq - apk add --no-cache curl jq
- npm install --package-lock-only
- npm audit --audit-level=moderate || AUDIT_EXIT=$?
- | - |
if [ ! -z "$AUDIT_EXIT" ]; then if [ -f /tmp/audit-result.json ]; then
echo "" TOTAL=$(jq -r '.metadata.vulnerabilities.total // 0' /tmp/audit-result.json 2>/dev/null || echo "0")
echo "==========================================" CRITICAL=$(jq -r '.metadata.vulnerabilities.critical // 0' /tmp/audit-result.json 2>/dev/null || echo "0")
echo "⚠️ WARNING: npm audit found vulnerabilities!" HIGH=$(jq -r '.metadata.vulnerabilities.high // 0' /tmp/audit-result.json 2>/dev/null || echo "0")
echo "⚠️ Please review the security issues above" MODERATE=$(jq -r '.metadata.vulnerabilities.moderate // 0' /tmp/audit-result.json 2>/dev/null || echo "0")
echo "⚠️ Build continues despite vulnerabilities" LOW=$(jq -r '.metadata.vulnerabilities.low // 0' /tmp/audit-result.json 2>/dev/null || echo "0")
echo "=========================================="
echo ""
# Discord Benachrichtigung mit jq (sicher gegen Sonderzeichen) if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ] || [ "$MODERATE" -gt 0 ]; then
if [ ! -z "$DISCORD_WEBHOOK" ]; then COLOR=16744448
echo "${CI_COMMIT_MESSAGE:-No commit message}" > /tmp/commit_msg.txt STATUS="⚠️ Vulnerabilities Found"
PAYLOAD=$(cat /tmp/commit_msg.txt | jq -Rs \ else
--arg title "⚠️ npm audit Warnung - Build #${CI_BUILD_NUMBER}" \ COLOR=3066993
--arg repo "${CI_REPO}" \ STATUS="✅ No Vulnerabilities"
--arg branch "${CI_COMMIT_BRANCH}" \
--arg commit "${CI_COMMIT_SHA:0:7}" \
--arg author "${CI_COMMIT_AUTHOR}" \
--arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
'. as $message | {
embeds: [{
title: $title,
description: "Es wurden Sicherheitslücken in den Dependencies gefunden!",
color: 16744448,
fields: [
{ name: "Repository", value: $repo, inline: true },
{ name: "Branch", value: $branch, inline: true },
{ name: "Commit", value: ("`" + $commit + "`"), inline: true },
{ name: "Author", value: $author, inline: true },
{ name: "Commit Message", value: $message, inline: false }
],
footer: {
text: "Build läuft trotzdem durch"
},
timestamp: $timestamp
}]
}')
rm -f /tmp/commit_msg.txt
curl -H "Content-Type: application/json" -X POST \
-d "$PAYLOAD" "$DISCORD_WEBHOOK"
fi fi
if [ -f /tmp/audit-output.txt ]; then
VULNS=$(head -50 /tmp/audit-output.txt | tail -40 || echo "No details")
else
VULNS="No audit output available"
fi
printf '%s' "$VULNS" > /tmp/vulns.txt
PAYLOAD=$(jq -n \
--arg title "🔒 Security Audit - Build #${CI_BUILD_NUMBER}" \
--arg status "$STATUS" \
--arg total "$TOTAL" \
--arg critical "$CRITICAL" \
--arg high "$HIGH" \
--arg moderate "$MODERATE" \
--arg low "$LOW" \
--arg commit "${CI_COMMIT_SHA:0:7}" \
--rawfile details /tmp/vulns.txt \
--arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
--argjson color "$COLOR" \
'{
embeds: [{
title: $title,
description: $status,
color: $color,
fields: [
{ name: "Total", value: $total, inline: true },
{ name: "Critical", value: $critical, inline: true },
{ name: "High", value: $high, inline: true },
{ name: "Moderate", value: $moderate, inline: true },
{ name: "Low", value: $low, inline: true },
{ name: "Commit", value: ("`" + $commit + "`"), inline: true },
{ name: "Details", value: ("```\n" + ($details[:800]) + (if ($details | length) > 800 then "\n... (truncated)" else "" end) + "\n```"), inline: false }
],
timestamp: $timestamp
}]
}')
curl -H "Content-Type: application/json" -X POST \
-d "$PAYLOAD" "$DISCORD_WEBHOOK"
else else
echo "No vulnerabilities found" echo "No audit results found"
fi fi
- exit 0
when: when:
branch: main - branch: main
event: push event: push
deploy_frontend: deploy_frontend:
image: node:20 image: node:20
environment: environment:
FLY_API_TOKEN: FLY_API_TOKEN:
from_secret: FLY_API_TOKEN from_secret: FLY_API_TOKEN
DISCORD_WEBHOOK:
from_secret: discord_webhook
commands: commands:
- apt-get update && apt-get install -y jq
- curl -L https://fly.io/install.sh | sh - curl -L https://fly.io/install.sh | sh
- export PATH="$HOME/.fly/bin:$PATH" - export PATH="$HOME/.fly/bin:$PATH"
- flyctl deploy --config fly.toml --app gallus-pub --remote-only - flyctl deploy --config fly.toml --app gallus-pub --remote-only
when: when:
branch: main - branch: main
event: push event: push
notify_success: notify_success:
image: node:20 image: alpine:latest
environment: environment:
DISCORD_WEBHOOK: DISCORD_WEBHOOK:
from_secret: discord_webhook from_secret: discord_webhook
commands: commands:
- apt-get update && apt-get install -y jq - apk add --no-cache curl jq
- | - |
if [ ! -z "$DISCORD_WEBHOOK" ]; then PAYLOAD=$(printf '%s' "${CI_COMMIT_MESSAGE}" | jq -Rs \
echo "${CI_COMMIT_MESSAGE:-No commit message}" > /tmp/commit_msg.txt --arg title "✅ Build #${CI_BUILD_NUMBER} - Success" \
PAYLOAD=$(cat /tmp/commit_msg.txt | jq -Rs \ --arg repo "${CI_REPO}" \
--arg title "✅ Build #${CI_BUILD_NUMBER} - Success" \ --arg branch "${CI_COMMIT_BRANCH}" \
--arg repo "${CI_REPO}" \ --arg commit "${CI_COMMIT_SHA:0:7}" \
--arg branch "${CI_COMMIT_BRANCH}" \ --arg author "${CI_COMMIT_AUTHOR}" \
--arg commit "${CI_COMMIT_SHA:0:7}" \ --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
--arg author "${CI_COMMIT_AUTHOR}" \ '. as $message | {
--arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \ embeds: [{
'. as $message | { title: $title,
embeds: [{ description: "Build und Deployment erfolgreich abgeschlossen!",
title: $title, color: 3066993,
description: "Build und Deployment erfolgreich abgeschlossen!", fields: [
color: 3066993, { name: "Repository", value: $repo, inline: true },
fields: [ { name: "Branch", value: $branch, inline: true },
{ name: "Repository", value: $repo, inline: true }, { name: "Commit", value: ("`" + $commit + "`"), inline: true },
{ name: "Branch", value: $branch, inline: true }, { name: "Author", value: $author, inline: true },
{ name: "Commit", value: ("`" + $commit + "`"), inline: true }, { name: "Commit Message", value: $message, inline: false }
{ name: "Author", value: $author, inline: true }, ],
{ name: "Commit Message", value: $message, inline: false } timestamp: $timestamp
], }]
timestamp: $timestamp }')
}]
}')
rm -f /tmp/commit_msg.txt
curl -H "Content-Type: application/json" -X POST \ curl -H "Content-Type: application/json" -X POST \
-d "$PAYLOAD" "$DISCORD_WEBHOOK" -d "$PAYLOAD" "$DISCORD_WEBHOOK"
fi
when: when:
branch: main - branch: main
event: push event: push
status: success status: success
notify_failure: notify_failure:
image: node:20 image: alpine:latest
environment: environment:
DISCORD_WEBHOOK: DISCORD_WEBHOOK:
from_secret: discord_webhook from_secret: discord_webhook
commands: commands:
- apt-get update && apt-get install -y jq - apk add --no-cache curl jq
- | - |
if [ ! -z "$DISCORD_WEBHOOK" ]; then PAYLOAD=$(printf '%s' "${CI_COMMIT_MESSAGE}" | jq -Rs \
echo "${CI_COMMIT_MESSAGE:-No commit message}" > /tmp/commit_msg.txt --arg title "❌ Build #${CI_BUILD_NUMBER} - Failure" \
PAYLOAD=$(cat /tmp/commit_msg.txt | jq -Rs \ --arg repo "${CI_REPO}" \
--arg title "❌ Build #${CI_BUILD_NUMBER} - Failure" \ --arg branch "${CI_COMMIT_BRANCH}" \
--arg repo "${CI_REPO}" \ --arg commit "${CI_COMMIT_SHA:0:7}" \
--arg branch "${CI_COMMIT_BRANCH}" \ --arg author "${CI_COMMIT_AUTHOR}" \
--arg commit "${CI_COMMIT_SHA:0:7}" \ --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
--arg author "${CI_COMMIT_AUTHOR}" \ '. as $message | {
--arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \ embeds: [{
'. as $message | { title: $title,
embeds: [{ description: "Build oder Deployment ist fehlgeschlagen!",
title: $title, color: 15158332,
description: "Build oder Deployment ist fehlgeschlagen!", fields: [
color: 15158332, { name: "Repository", value: $repo, inline: true },
fields: [ { name: "Branch", value: $branch, inline: true },
{ name: "Repository", value: $repo, inline: true }, { name: "Commit", value: ("`" + $commit + "`"), inline: true },
{ name: "Branch", value: $branch, inline: true }, { name: "Author", value: $author, inline: true },
{ name: "Commit", value: ("`" + $commit + "`"), inline: true }, { name: "Commit Message", value: $message, inline: false }
{ name: "Author", value: $author, inline: true }, ],
{ name: "Commit Message", value: $message, inline: false } timestamp: $timestamp
], }]
timestamp: $timestamp }')
}]
}')
rm -f /tmp/commit_msg.txt
curl -H "Content-Type: application/json" -X POST \ curl -H "Content-Type: application/json" -X POST \
-d "$PAYLOAD" "$DISCORD_WEBHOOK" -d "$PAYLOAD" "$DISCORD_WEBHOOK"
fi
when: when:
branch: main - branch: main
event: push event: push
status: failure status: failure