ps-security-auditlisted

# PrestaShop Security Audit Weekly automated security scan for PrestaShop 8 projects on GitLab.com Free tier. Covers: 1. **Friends of Presta (FoP)** module advisory check — cross-references installed modules against known CVEs 2. **PrestaShop core version** — detects outdated core vs latest stable 3. **Trivy** — scans PHP/Composer dependencies for CVEs and leaked secrets 4. **Weekly HTML email** — Monday 8am Madrid, same format across projects --- ## What's unique about PrestaShop security The biggest attack vector in recent PS vulnerabilities is **third-party modules** (marketplace and premium themes) with SQL injection, path traversal, and file upload flaws. Friends of Presta maintains the authoritative CVE list at: - GitHub: `https://github.com/friends-of-presta/security-advisories` - Site: `https://security.friendsofpresta.org` Most attacks exploit `id_cart`, `id_product`, `id_address` parameters without `pSQL()` sanitization in module controllers. Trivy does NOT catch these — only FoP cross-referencing does. --- ## Step 1 — GitLab CI Job Create or update `.gitlab-ci.yml` in the project root: ```yaml ps-security-audit: image: name: aquasec/trivy:latest entrypoint: [""] before_script: - apk add --no-cache curl python3 py3-packaging py3-yaml tar script: # --- Trivy scan (PHP/Composer deps + secrets) --- - trivy fs --exit-code 0 --scanners vuln,secret --format json -o trivy-report.json . 2>/dev/null - trivy fs --exit-code 0 --scanners