chore(deps-dev): Bump typescript-eslint from 8.58.1 to 8.59.1 #134
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scans | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: "0 8 * * 1" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-and-quality | |
| - name: Set up pnpm | |
| uses: pnpm/action-setup@v5 | |
| with: | |
| version: 10 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: "24" | |
| cache: pnpm | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Generate Prisma client | |
| run: pnpm --filter backend db:generate | |
| - name: Build project for analysis | |
| run: pnpm run build | |
| env: | |
| VITE_API_URL: "" | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: /language:javascript-typescript | |
| trivy-fs: | |
| name: Trivy Filesystem Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy on filesystem | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| format: sarif | |
| output: trivy-fs-results.sarif | |
| severity: CRITICAL,HIGH | |
| exit-code: "0" | |
| - name: Upload Trivy filesystem scan results | |
| if: success() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-fs-results.sarif | |
| category: trivy-filesystem | |
| trivy-backend-image: | |
| name: Trivy Backend Docker Image Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Build backend Docker image | |
| run: docker build -f docker/Dockerfile.backend -t krabbx-backend:ci . | |
| - name: Run Trivy on backend image | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: krabbx-backend:ci | |
| format: sarif | |
| output: trivy-backend-image.sarif | |
| severity: CRITICAL,HIGH | |
| exit-code: "0" | |
| - name: Upload Trivy backend image scan results | |
| if: success() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-backend-image.sarif | |
| category: trivy-backend-image | |
| trivy-frontend-image: | |
| name: Trivy Frontend Docker Image Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Build frontend Docker image | |
| run: docker build -f docker/Dockerfile.frontend -t krabbx-frontend:ci . | |
| - name: Run Trivy on frontend image | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: krabbx-frontend:ci | |
| format: sarif | |
| output: trivy-frontend-image.sarif | |
| severity: CRITICAL,HIGH | |
| exit-code: "0" | |
| ignore-unfixed: true | |
| - name: Upload Trivy frontend image scan results | |
| if: success() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-frontend-image.sarif | |
| category: trivy-frontend-image | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| npm-audit: | |
| name: npm Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Set up pnpm | |
| uses: pnpm/action-setup@v5 | |
| with: | |
| version: 10 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: "24" | |
| cache: pnpm | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run pnpm audit | |
| run: pnpm audit --audit-level=high |