Skip to content

Commit 3175d61

Browse files
claudeclaude
committed
ci: Tier 1 OSS security scanners
CodeQL (security-extended for JS/TS) + Dependabot (npm + actions) + OSV-Scanner. 100% free for public repos. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent a68b702 commit 3175d61

3 files changed

Lines changed: 83 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: npm
4+
directory: "/"
5+
schedule:
6+
interval: weekly
7+
day: monday
8+
time: "06:00"
9+
timezone: Etc/UTC
10+
open-pull-requests-limit: 5
11+
groups:
12+
npm-security:
13+
applies-to: security-updates
14+
patterns:
15+
- "*"
16+
npm-minor-patch:
17+
applies-to: version-updates
18+
update-types:
19+
- minor
20+
- patch
21+
22+
- package-ecosystem: github-actions
23+
directory: "/"
24+
schedule:
25+
interval: weekly
26+
day: monday
27+
open-pull-requests-limit: 3
28+
groups:
29+
actions:
30+
patterns:
31+
- "*"

.github/workflows/codeql.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: [master, main]
6+
pull_request:
7+
branches: [master, main]
8+
schedule:
9+
- cron: '17 6 * * 1'
10+
11+
permissions:
12+
actions: read
13+
contents: read
14+
security-events: write
15+
16+
jobs:
17+
analyze:
18+
name: Analyze (JS/TS)
19+
runs-on: ubuntu-latest
20+
timeout-minutes: 30
21+
steps:
22+
- uses: actions/checkout@v4
23+
- uses: github/codeql-action/init@v3
24+
with:
25+
languages: javascript-typescript
26+
queries: security-extended
27+
- uses: github/codeql-action/autobuild@v3
28+
- uses: github/codeql-action/analyze@v3
29+
with:
30+
category: "/language:javascript-typescript"

.github/workflows/osv-scanner.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
name: OSV-Scanner
2+
3+
on:
4+
push:
5+
branches: [master, main]
6+
pull_request:
7+
branches: [master, main]
8+
schedule:
9+
- cron: '0 6 * * *'
10+
11+
permissions:
12+
actions: read
13+
contents: read
14+
security-events: write
15+
16+
jobs:
17+
scan:
18+
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.0.1
19+
permissions:
20+
actions: read
21+
contents: read
22+
security-events: write

0 commit comments

Comments
 (0)