Skip to content
Security Scan

Bump next from 14.2.35 to 16.2.0 in /sample-app in the npm_and_yarn group across 1 directory #2

Sign in to view logs

Bump next from 14.2.35 to 16.2.0 in /sample-app in the npm_and_yarn group across 1 directory

Bump next from 14.2.35 to 16.2.0 in /sample-app in the npm_and_yarn group across 1 directory #2

Workflow file for this run

.github/workflows/security-scan.yml at c611f88
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
security-events: write
contents: read
pull-requests: read
env:
SARIF_UPLOAD_ACTION: github/codeql-action/upload-sarif@v4
jobs:
sca:
name: SCA — Dependency Review & SBOM
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
continue-on-error: true
with:
fail-on-severity: high
comment-summary-in-pr: always
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
format: spdx-json
output-file: sbom.spdx.json
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.spdx.json
sast:
name: SAST — CodeQL Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [javascript-typescript]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: codeql/${{ matrix.language }}
iac:
name: IaC — Microsoft Security DevOps
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Microsoft Security DevOps
uses: microsoft/security-devops-action@v1
id: msdo
with:
categories: IaC
tools: checkov,trivy,terrascan
- name: Upload IaC SARIF
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
category: iac-scanning/
container:
name: Container — Trivy Image Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check for Dockerfile
id: check
run: |
if find . -name 'Dockerfile' -type f | grep -q .; then
echo "found=true" >> "$GITHUB_OUTPUT"
else
echo "found=false" >> "$GITHUB_OUTPUT"
echo "No Dockerfile found — skipping container scan"
fi
- name: Build container image
if: steps.check.outputs.found == 'true'
run: |
DOCKERFILE=$(find . -name 'Dockerfile' -type f | head -1)
if [ -n "$DOCKERFILE" ]; then
docker build -t scan-target:latest -f "$DOCKERFILE" .
fi
- name: Run Trivy container scan
if: steps.check.outputs.found == 'true'
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: scan-target:latest
format: sarif
output: trivy-container.sarif
severity: CRITICAL,HIGH
- name: Upload container SARIF
uses: github/codeql-action/upload-sarif@v4
if: always() && steps.check.outputs.found == 'true'
with:
sarif_file: trivy-container.sarif
category: container-scanning/
dast:
name: DAST — ZAP Baseline Scan
runs-on: ubuntu-latest
if: vars.DAST_TARGET_URL != ''
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.14.0
with:
target: ${{ vars.DAST_TARGET_URL }}
cmd_options: '-J zap-report.json'
allow_issue_writing: false
- name: Convert ZAP JSON to SARIF
if: always()
run: |
npm install -g @microsoft/sarif-multitool || true
if command -v sarif-multitool &> /dev/null && [ -f zap-report.json ]; then
sarif-multitool convert zap-report.json --tool ZAP --output zap-results.sarif
fi
- name: Upload DAST SARIF
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('zap-results.sarif') != ''
with:
sarif_file: zap-results.sarif
category: dast/