From 19c362d0f3382d260c2d0df42c51702522da8720 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 14:34:20 +0300 Subject: [PATCH 01/14] Add Trivy vulnerability scanning to CI workflow --- .github/workflows/e2e-testing.yml | 37 +++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 10e7c72c0..90d01477b 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -34,6 +34,21 @@ jobs: # Save the tag for later steps echo "WEKAN_IMAGE_TAG=$TAG" >> $GITHUB_ENV + - name: Install Trivy + run: | + sudo apt-get update + sudo apt-get install -y wget + wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb + sudo dpkg -i trivy_0.50.0_Linux-64bit.deb + + - name: Scan Wekan Docker image for vulnerabilities + env: + WEKAN_IMAGE_TAG: ${{ env.WEKAN_IMAGE_TAG }} + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + run: | + docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG + trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true + - name: Create .env file run: | echo "WEKAN_IMAGE=omriza5/wekan:${WEKAN_IMAGE_TAG}" >> .env @@ -83,6 +98,28 @@ jobs: sudo docker compose pull sudo docker compose up -d + security-scan: + needs: deploy + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Trivy + run: | + sudo apt-get update + sudo apt-get install -y wget + wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb + sudo dpkg -i trivy_0.50.0_Linux-64bit.deb + + - name: Scan Wekan Docker image for vulnerabilities + env: + WEKAN_IMAGE_TAG: ${{ needs.deploy.outputs.wekan_image_tag }} + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + run: | + docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG + trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true + API-tests: needs: deploy runs-on: ubuntu-latest From 3c3e93388e20e4edbe79cb8dffba7ddfaaf15808 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 14:40:54 +0300 Subject: [PATCH 02/14] Refactor CI workflow to integrate Trivy vulnerability scanning directly into the deployment job, removing redundant security scan job. --- .github/workflows/e2e-testing.yml | 28 +++------------------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 90d01477b..26ead195a 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -35,17 +35,17 @@ jobs: echo "WEKAN_IMAGE_TAG=$TAG" >> $GITHUB_ENV - name: Install Trivy - run: | + run: | sudo apt-get update sudo apt-get install -y wget wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb sudo dpkg -i trivy_0.50.0_Linux-64bit.deb - name: Scan Wekan Docker image for vulnerabilities - env: + env: WEKAN_IMAGE_TAG: ${{ env.WEKAN_IMAGE_TAG }} DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - run: | + run: | docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true @@ -98,28 +98,6 @@ jobs: sudo docker compose pull sudo docker compose up -d - security-scan: - needs: deploy - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Trivy - run: | - sudo apt-get update - sudo apt-get install -y wget - wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb - sudo dpkg -i trivy_0.50.0_Linux-64bit.deb - - - name: Scan Wekan Docker image for vulnerabilities - env: - WEKAN_IMAGE_TAG: ${{ needs.deploy.outputs.wekan_image_tag }} - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - run: | - docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG - trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true - API-tests: needs: deploy runs-on: ubuntu-latest From 361d4128f129fc6a98d0984eff49b7fa9fb43600 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 14:46:48 +0300 Subject: [PATCH 03/14] Refactor Trivy vulnerability scanning step in CI workflow to use the official action, simplifying installation and configuration. --- .github/workflows/e2e-testing.yml | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 26ead195a..b8195b5a9 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -34,20 +34,14 @@ jobs: # Save the tag for later steps echo "WEKAN_IMAGE_TAG=$TAG" >> $GITHUB_ENV - - name: Install Trivy - run: | - sudo apt-get update - sudo apt-get install -y wget - wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb - sudo dpkg -i trivy_0.50.0_Linux-64bit.deb - - name: Scan Wekan Docker image for vulnerabilities - env: - WEKAN_IMAGE_TAG: ${{ env.WEKAN_IMAGE_TAG }} - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - run: | - docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG - trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ secrets.DOCKERHUB_USERNAME }}/wekan:${{ env.WEKAN_IMAGE_TAG }}' + format: 'table' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + exit-code: 0 - name: Create .env file run: | From d5d2d5927157e14d41e94d7ba06ec4f543bd3eb4 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 17:34:35 +0300 Subject: [PATCH 04/14] Add vulnerability scanning for wekan-selenium repo using Trivy --- .github/workflows/e2e-testing.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index b8195b5a9..1d98912eb 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -229,6 +229,15 @@ jobs: repository: omriza5/wekan-selenium token: ${{ secrets.UI_TESTING_GITHUB_TOKEN }} + - name: Scan wekan-selenium repo for vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'table' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + exit-code: 0 + - name: Set up Python 3.11 uses: actions/setup-python@v4 with: From 27680a781cdc949f8a5b193ec9cc9a3211799fc8 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 17:51:25 +0300 Subject: [PATCH 05/14] Refactor security scanning in CI workflow for wekan-selenium, adding dedicated vulnerability scans for the repository and Python dependencies. --- .github/workflows/e2e-testing.yml | 46 ++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 1d98912eb..887676449 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -207,9 +207,40 @@ jobs: run: | pytest --maxfail=5 --disable-warnings -v - Selenium-ui-tests: + wekan-selenium-security-scan: needs: deploy runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 1 + repository: omriza5/wekan-selenium + token: ${{ secrets.UI_TESTING_GITHUB_TOKEN }} + + - name: Scan wekan-selenium repo for vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'table' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + exit-code: 0 + dir: '.' + + - name: Scan Python dependencies for vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'pip' + requirements: 'requirements.txt' + format: 'table' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + exit-code: 0 + + Selenium-ui-tests: + needs: [deploy, security-scan] + runs-on: ubuntu-latest strategy: matrix: @@ -229,14 +260,15 @@ jobs: repository: omriza5/wekan-selenium token: ${{ secrets.UI_TESTING_GITHUB_TOKEN }} - - name: Scan wekan-selenium repo for vulnerabilities + - name: Scan Python dependencies for vulnerabilities uses: aquasecurity/trivy-action@master with: - scan-type: 'fs' - format: 'table' - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - exit-code: 0 + scan-type: 'pip' + requirements: 'requirements.txt' + format: 'table' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + exit-code: 0 - name: Set up Python 3.11 uses: actions/setup-python@v4 From 10f2b719d6c4357ea58f31af788065552553a2e9 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 18:04:36 +0300 Subject: [PATCH 06/14] Remove dependency on security-scan job for Selenium UI tests --- .github/workflows/e2e-testing.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 887676449..19f3069a4 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -239,7 +239,6 @@ jobs: exit-code: 0 Selenium-ui-tests: - needs: [deploy, security-scan] runs-on: ubuntu-latest strategy: From bba0db59032c95aba304617759dae646148f30df Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 18:05:47 +0300 Subject: [PATCH 07/14] Remove dependency on deploy job for wekan-selenium-security-scan --- .github/workflows/e2e-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 19f3069a4..0afcce2dc 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -208,7 +208,6 @@ jobs: pytest --maxfail=5 --disable-warnings -v wekan-selenium-security-scan: - needs: deploy runs-on: ubuntu-latest steps: - name: Checkout code @@ -239,6 +238,7 @@ jobs: exit-code: 0 Selenium-ui-tests: + needs: deploy runs-on: ubuntu-latest strategy: From 1c842f6a84e26a49410e1a95d435b4c5c71dd60a Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 18:07:49 +0300 Subject: [PATCH 08/14] Remove wekan-selenium-security-scan job and associated vulnerability scans from CI workflow --- .github/workflows/e2e-testing.yml | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 0afcce2dc..dae186b0f 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -207,36 +207,6 @@ jobs: run: | pytest --maxfail=5 --disable-warnings -v - wekan-selenium-security-scan: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 1 - repository: omriza5/wekan-selenium - token: ${{ secrets.UI_TESTING_GITHUB_TOKEN }} - - - name: Scan wekan-selenium repo for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - format: 'table' - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - exit-code: 0 - dir: '.' - - - name: Scan Python dependencies for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: 'pip' - requirements: 'requirements.txt' - format: 'table' - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - exit-code: 0 - Selenium-ui-tests: needs: deploy runs-on: ubuntu-latest From cb1557f5232e2091b5a25c173f71d4dc28c9e6b3 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 18:12:34 +0300 Subject: [PATCH 09/14] Remove Python dependency vulnerability scan from CI workflow --- .github/workflows/e2e-testing.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index dae186b0f..b8195b5a9 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -229,16 +229,6 @@ jobs: repository: omriza5/wekan-selenium token: ${{ secrets.UI_TESTING_GITHUB_TOKEN }} - - name: Scan Python dependencies for vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: 'pip' - requirements: 'requirements.txt' - format: 'table' - severity: 'HIGH,CRITICAL' - ignore-unfixed: true - exit-code: 0 - - name: Set up Python 3.11 uses: actions/setup-python@v4 with: From 0dd5692b9a2482c21ee32cb994c559e7c5eed8ce Mon Sep 17 00:00:00 2001 From: omri zaher Date: Thu, 25 Sep 2025 19:02:41 +0300 Subject: [PATCH 10/14] test --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index df38b941b..a9273b66a 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ docker-compose.yml at https://github.com/wekan/wekan/blob/main/docker-compose.ym ## Standards - [WeKan and Standard for Public Code](https://wekan.fi/standard-for-public-code/) assessment was made at 2023-11. - Currently Wekan meets 8 out of 16 criteria out of the box. + Currently Wekan meets 8 out of 16 criteria out of the box.. Some others could be met with small changes ## Code stats From 1d31e5d32dff0a52485e7615d096d21ca3487916 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Sat, 27 Sep 2025 13:36:49 +0300 Subject: [PATCH 11/14] Update vulnerability scan steps for Wekan Docker images in CI workflow --- .github/workflows/e2e-testing.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index b8195b5a9..190ede912 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -34,7 +34,7 @@ jobs: # Save the tag for later steps echo "WEKAN_IMAGE_TAG=$TAG" >> $GITHUB_ENV - - name: Scan Wekan Docker image for vulnerabilities + - name: Scan Wekan Docker image for vulnerabilities(Wekan) uses: aquasecurity/trivy-action@master with: image-ref: '${{ secrets.DOCKERHUB_USERNAME }}/wekan:${{ env.WEKAN_IMAGE_TAG }}' @@ -43,6 +43,15 @@ jobs: ignore-unfixed: true exit-code: 0 + - name: Scan wekan-selenium Docker image for vulnerabilities + uses: aquasecurity/trivy-action@master + with: + image-ref: 'omriza5/wekan-selenium:1.0.0' + format: 'table' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + exit-code: 0 + - name: Create .env file run: | echo "WEKAN_IMAGE=omriza5/wekan:${WEKAN_IMAGE_TAG}" >> .env From 73c5682884e9ff0c81ebaa3fe4114ba3d9e67f51 Mon Sep 17 00:00:00 2001 From: omri zaher Date: Sat, 27 Sep 2025 14:28:38 +0300 Subject: [PATCH 12/14] Add screenshot upload step to Selenium UI tests workflow --- .github/workflows/e2e-testing.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 190ede912..441bcd947 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -327,6 +327,14 @@ jobs: path: allure-results/ retention-days: 30 + - name: Upload screenshots + if: always() # Ensure this runs even if tests fail + uses: actions/upload-artifact@v4 + with: + name: ui-test-screenshots + path: artifacts/screenshots + retention-days: 2 # Store artifacts for 2 days + allure-report: runs-on: ubuntu-latest needs: Selenium-ui-tests From feaa4e9838c2f25e78aa2e2bc9e6cbf6a8776faa Mon Sep 17 00:00:00 2001 From: omri zaher Date: Sat, 27 Sep 2025 15:05:56 +0300 Subject: [PATCH 13/14] Fix typo in Standards section of README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a9273b66a..df38b941b 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ docker-compose.yml at https://github.com/wekan/wekan/blob/main/docker-compose.ym ## Standards - [WeKan and Standard for Public Code](https://wekan.fi/standard-for-public-code/) assessment was made at 2023-11. - Currently Wekan meets 8 out of 16 criteria out of the box.. + Currently Wekan meets 8 out of 16 criteria out of the box. Some others could be met with small changes ## Code stats From 92e86432c960a0dddd7ab79dc196be29d67de69b Mon Sep 17 00:00:00 2001 From: omri zaher Date: Sat, 27 Sep 2025 15:16:34 +0300 Subject: [PATCH 14/14] Update screenshot artifact naming in Selenium UI tests workflow --- .github/workflows/e2e-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml index 441bcd947..06ec7ed6a 100644 --- a/.github/workflows/e2e-testing.yml +++ b/.github/workflows/e2e-testing.yml @@ -331,7 +331,7 @@ jobs: if: always() # Ensure this runs even if tests fail uses: actions/upload-artifact@v4 with: - name: ui-test-screenshots + name: ui-test-screenshots-${{ matrix.browser }}-${{ matrix.resolution.name }} path: artifacts/screenshots retention-days: 2 # Store artifacts for 2 days