Skip to content

Commit a8cbdbb

Browse files
ci(security): add Snyk and ReversingLabs scanning pipelines
1 parent 6cb2541 commit a8cbdbb

4 files changed

Lines changed: 65 additions & 2 deletions

File tree

.github/workflows/release.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,29 @@ jobs:
3232
- name: Install dependencies
3333
run: npm ci
3434

35+
- name: Set up Python
36+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
37+
with:
38+
python-version: "3.10"
39+
40+
- name: Configure AWS credentials
41+
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
42+
with:
43+
role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }}
44+
aws-region: us-east-1
45+
mask-aws-account-id: true
46+
47+
- name: Install rl-wrapper
48+
env:
49+
WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
50+
run: pip install "rl-wrapper>=1.0.0" --index-url $WRAPPER_INDEX_URL
51+
3552
- name: Release
3653
env:
3754
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3855
NPM_CONFIG_PROVENANCE: true
56+
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
57+
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
58+
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
59+
PYTHONUNBUFFERED: 1
3960
run: npx semantic-release

.github/workflows/semgrep.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,10 @@
11
name: Semgrep
22

33
on:
4-
pull_request_target: {}
4+
pull_request:
5+
types:
6+
- opened
7+
- synchronize
58
push:
69
branches: ["master", "main"]
710
permissions:
@@ -14,7 +17,7 @@ jobs:
1417
image: returntocorp/semgrep
1518
if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
1619
steps:
17-
- uses: actions/checkout@v3
20+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1821
- run: semgrep ci
1922
env:
2023
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

.github/workflows/snyk.yml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
name: Snyk
2+
3+
on:
4+
merge_group:
5+
workflow_dispatch:
6+
pull_request:
7+
types:
8+
- opened
9+
- synchronize
10+
push:
11+
branches:
12+
- master
13+
schedule:
14+
- cron: '30 0 1,15 * *'
15+
16+
permissions:
17+
contents: read
18+
19+
concurrency:
20+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
21+
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
22+
23+
jobs:
24+
check:
25+
name: Check for Vulnerabilities
26+
runs-on: ubuntu-latest
27+
28+
steps:
29+
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
30+
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
31+
32+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
33+
with:
34+
ref: ${{ github.event.pull_request.head.sha || github.ref }}
35+
36+
- uses: snyk/actions/node@9adf32b1121593767fc3c057af55b55db032dc04 # pin@1.0.0
37+
env:
38+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.releaserc.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
[
1414
"@semantic-release/exec",
1515
{
16+
"verifyReleaseCmd": "ARTIFACT=$(npm pack --ignore-scripts | tail -1) && rl-wrapper --artifact \"$ARTIFACT\" --name node-xml-encryption --version ${nextRelease.version} --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --build-env github_actions --suppress_output",
1617
"prepareCmd": "git diff --exit-code"
1718
}
1819
],

0 commit comments

Comments
 (0)