SortVision/.github/workflows/security-scan.yml at main · alienx5499/SortVision · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Security Scan

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

on:
  push:
    branches: [main, master, develop]
    paths-ignore:
      - '**.md'
      - 'issue/**'
  pull_request:
    branches: [main, master, develop]
    paths-ignore:
      - '**.md'
      - 'issue/**'
  merge_group:
    types: [checks_requested]
  schedule:
    - cron: '0 0 * * 0'

defaults:
  run:
    working-directory: ./SortVision

jobs:
  security-audit:
    name: Security Vulnerability Scan
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

      - name: Setup SortVision
        uses: ./.github/actions/setup-sortvision
        with:
          node-version: '24'

      # Fails the job on known high/critical vulnerabilities in production dependencies.
      - name: Audit production dependencies (high/critical)
        run: pnpm audit --production --audit-level=high

      - name: Write audit JSON for artifact
        if: always()
        run: (pnpm audit --production --json > audit-results.json) || echo '{}' > audit-results.json

      - name: Check for secrets
        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
        with:
          extra_args: --only-verified

      - name: Upload audit results
        if: always()
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: security-audit-results
          path: SortVision/audit-results.json
          retention-days: 90

      - name: Generate security summary
        if: always()
        run: |
          echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "pnpm audit: fails on **high** and **critical** production issues." >> $GITHUB_STEP_SUMMARY
          echo "Moderate/low advisories: review \`pnpm audit\` locally or Dependabot alerts." >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Scan completed at $(date -u +%Y-%m-%dT%H:%MZ)" >> $GITHUB_STEP_SUMMARY

  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    permissions:
      contents: read
      pull-requests: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

      - name: Dependency Review
        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
        with:
          fail-on-severity: moderate
          base-ref: ${{ github.event.pull_request.base.sha }}
          head-ref: ${{ github.event.pull_request.head.sha }}