scripts/security/security-scan.sh

#!/bin/bash
# Security scanning automation script
# Runs SAST, DAST, dependency scanning, and container scanning

set -e

echo "🔒 Starting security scanning..."

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# SAST - Static Application Security Testing
echo -e "${YELLOW}Running SAST (Static Analysis)...${NC}"
if command -v semgrep &> /dev/null; then
  semgrep --config=auto --json -o sast-results.json . || true
  echo -e "${GREEN}✓ SAST complete${NC}"
else
  echo -e "${RED}✗ Semgrep not installed. Install with: pip install semgrep${NC}"
fi

# Dependency Scanning
echo -e "${YELLOW}Running dependency vulnerability scan...${NC}"
pnpm audit --audit-level moderate --json > dependency-scan.json || true
echo -e "${GREEN}✓ Dependency scan complete${NC}"

# Container Scanning
echo -e "${YELLOW}Running container image scanning...${NC}"
if command -v trivy &> /dev/null; then
  for dockerfile in $(find . -name "Dockerfile"); do
    echo "Scanning $dockerfile..."
    trivy fs --security-checks vuln,config --format json -o "container-scan-$(basename $(dirname $dockerfile)).json" "$(dirname $dockerfile)" || true
  done
  echo -e "${GREEN}✓ Container scan complete${NC}"
else
  echo -e "${RED}✗ Trivy not installed. Install from: https://github.com/aquasecurity/trivy${NC}"
fi

# Generate summary
echo -e "${YELLOW}Generating security scan summary...${NC}"
cat > security-scan-summary.md << EOF
# Security Scan Summary

**Date**: $(date -u +"%Y-%m-%d %H:%M:%S UTC")

## SAST Results
- Report: sast-results.json
- Status: See report for details

## Dependency Scan
- Report: dependency-scan.json
- Status: See report for details

## Container Scan
- Reports: container-scan-*.json
- Status: See reports for details

## Recommendations
1. Review all findings
2. Fix high and critical vulnerabilities immediately
3. Address medium vulnerabilities in next sprint
4. Document accepted risks for low vulnerabilities

EOF

echo -e "${GREEN}✅ Security scanning complete!${NC}"
echo "Reports generated in current directory"
feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone - Add Cloud for Sovereignty landing zone architecture and deployment - Implement complete legal document management system - Reorganize documentation with improved navigation - Add infrastructure improvements (Dockerfiles, K8s, monitoring) - Add operational improvements (graceful shutdown, rate limiting, caching) - Create comprehensive project structure documentation - Add Azure deployment automation scripts - Improve repository navigation and organization 2025-11-13 09:32:55 -08:00			`#!/bin/bash`
			`# Security scanning automation script`
			`# Runs SAST, DAST, dependency scanning, and container scanning`

			`set -e`

			`echo "🔒 Starting security scanning..."`

			`# Colors`
			`RED='\033[0;31m'`
			`GREEN='\033[0;32m'`
			`YELLOW='\033[1;33m'`
			`NC='\033[0m' # No Color`

			`# SAST - Static Application Security Testing`
			`echo -e "${YELLOW}Running SAST (Static Analysis)...${NC}"`
			`if command -v semgrep &> /dev/null; then`
			`semgrep --config=auto --json -o sast-results.json . \|\| true`
			`echo -e "${GREEN}✓ SAST complete${NC}"`
			`else`
			`echo -e "${RED}✗ Semgrep not installed. Install with: pip install semgrep${NC}"`
			`fi`

			`# Dependency Scanning`
			`echo -e "${YELLOW}Running dependency vulnerability scan...${NC}"`
			`pnpm audit --audit-level moderate --json > dependency-scan.json \|\| true`
			`echo -e "${GREEN}✓ Dependency scan complete${NC}"`

			`# Container Scanning`
			`echo -e "${YELLOW}Running container image scanning...${NC}"`
			`if command -v trivy &> /dev/null; then`
			`for dockerfile in $(find . -name "Dockerfile"); do`
			`echo "Scanning $dockerfile..."`
			`trivy fs --security-checks vuln,config --format json -o "container-scan-$(basename $(dirname $dockerfile)).json" "$(dirname $dockerfile)" \|\| true`
			`done`
			`echo -e "${GREEN}✓ Container scan complete${NC}"`
			`else`
			`echo -e "${RED}✗ Trivy not installed. Install from: https://github.com/aquasecurity/trivy${NC}"`
			`fi`

			`# Generate summary`
			`echo -e "${YELLOW}Generating security scan summary...${NC}"`
			`cat > security-scan-summary.md << EOF`
			`# Security Scan Summary`

			`Date: $(date -u +"%Y-%m-%d %H:%M:%S UTC")`

			`## SAST Results`
			`- Report: sast-results.json`
			`- Status: See report for details`

			`## Dependency Scan`
			`- Report: dependency-scan.json`
			`- Status: See report for details`

			`## Container Scan`
			`- Reports: container-scan-*.json`
			`- Status: See reports for details`

			`## Recommendations`
			`1. Review all findings`
			`2. Fix high and critical vulnerabilities immediately`
			`3. Address medium vulnerabilities in next sprint`
			`4. Document accepted risks for low vulnerabilities`

			`EOF`

			`echo -e "${GREEN}✅ Security scanning complete!${NC}"`
			`echo "Reports generated in current directory"`