CI: Static Security Scan, Code coverage (#37)

* add yarn audit * yarn audit show low+ output only * add coverage 90/60 thresholds * check that be fails at 90 * change be back to 60 * add fe audit * spacing * fix vulnerabilities * rename job * correct job name Co-authored-by: Sarah-Jaine Szekeresh <sarah-jaine@adhocteam.us>
HHS · Sep 29, 2020 · db631ef · db631ef
1 parent bdf91be
commit db631ef
Show file tree

Hide file tree

Showing 4 changed files with 363 additions and 581 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -130,7 +130,7 @@ jobs:
           root: .
           paths:
             - .
-  lint:
+  lint_audit:
     executor: docker-executor
     steps:
       - attach_workspace:
@@ -141,6 +141,16 @@ jobs:
       - run:
           name: Lint frontend
           command: yarn --cwd frontend run lint:ci
+      - run:  # Fail audit only for moderate and higher vulnerabilities
+          name: Audit vulnerability of backend node_modules
+          command: |
+            yarn audit --level low; EXIT_CODE=$?; \
+              (($EXIT_CODE >= 4)) && exit $EXIT_CODE || exit 0
+      - run:  # Fail audit only for moderate and higher vulnerabilities
+          name: Audit vulnerability of frontend node_modules
+          command: |
+            yarn --cwd frontend audit --level low; EXIT_CODE=$?; \
+              (($EXIT_CODE >= 4)) && exit $EXIT_CODE || exit 0
       - store_artifacts:
           path: reports
       - store_artifacts:
@@ -248,7 +258,7 @@ workflows:
   build_test_deploy:
     jobs:
       - build
-      - lint:
+      - lint_audit:
           requires:
             - build
       - test_backend:
@@ -259,7 +269,7 @@ workflows:
             - build
       - deploy:
           requires:
-            - lint
+            - lint_audit
             - test_backend
             - test_frontend
           filters:

diff --git a/frontend/package.json b/frontend/package.json
@@ -13,7 +13,7 @@
     "react-router": "^5.2.0",
     "react-router-dom": "^5.2.0",
     "react-router-prop-types": "^1.0.5",
-    "react-scripts": "3.4.1",
+    "react-scripts": "^3.4.3",
     "uswds": "^2.8.1"
   },
   "engines": {
@@ -102,5 +102,12 @@
     "eslint-plugin-react-hooks": "^4.0.8",
     "history": "^5.0.0",
     "jest-junit": "^11.1.0"
+  },
+  "jest": {
+    "coverageThreshold": {
+      "global": {
+        "branches": 90
+      }
+    }
   }
 }