Skip to content
Security

(build): front back #2

Sign in to view logs

(build): front back

(build): front back #2

Workflow file for this run

.github/workflows/security.yml at 81d432f
# ============================================================================
# Security Scanning Workflow
# ============================================================================
#
# Runs security checks on:
# - All pushes to main
# - All pull requests
# - Weekly schedule (Sundays at midnight)
#
# ============================================================================
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run weekly on Sunday at midnight UTC
- cron: '0 0 * * 0'
jobs:
audit:
name: πŸ”’ Dependency Audit
runs-on: ubuntu-latest
steps:
- name: πŸ“¦ Checkout Code
uses: actions/checkout@v4
- name: πŸ₯Ÿ Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: πŸ“₯ Install Dependencies
run: bun install --frozen-lockfile --ignore-scripts
- name: πŸ” Run Bun Audit
run: |
echo "πŸ” Checking for known vulnerabilities..."
# Run bun pm audit (returns non-zero if vulnerabilities found)
# Use || true to capture output even on failure
bun pm audit 2>&1 | tee audit-results.txt || AUDIT_FAILED=true
# Count vulnerabilities by severity
CRITICAL=$(grep -c "critical" audit-results.txt 2>/dev/null || echo "0")
HIGH=$(grep -c "high" audit-results.txt 2>/dev/null || echo "0")
MODERATE=$(grep -c "moderate" audit-results.txt 2>/dev/null || echo "0")
LOW=$(grep -c "low" audit-results.txt 2>/dev/null || echo "0")
echo ""
echo "πŸ“Š Vulnerability Summary:"
echo " Critical: $CRITICAL"
echo " High: $HIGH"
echo " Moderate: $MODERATE"
echo " Low: $LOW"
# Fail on critical or high vulnerabilities
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
echo ""
echo "❌ Critical/High vulnerabilities found!"
echo " Please review audit-results.txt and update affected packages."
exit 1
fi
echo ""
echo "βœ… No critical/high vulnerabilities found"
- name: πŸ“€ Upload Audit Results
if: always()
uses: actions/upload-artifact@v4
with:
name: audit-results
path: audit-results.txt
retention-days: 30
# Optional: Add Snyk scanning if SNYK_TOKEN is configured
snyk:
name: 🐍 Snyk Scan
runs-on: ubuntu-latest
if: ${{ vars.ENABLE_SNYK == 'true' }}
continue-on-error: true # Don't block PRs if Snyk is not configured
steps:
- name: πŸ“¦ Checkout Code
uses: actions/checkout@v4
- name: πŸ₯Ÿ Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: πŸ“₯ Install Dependencies
run: bun install --frozen-lockfile --ignore-scripts
- name: 🐍 Run Snyk
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: πŸ“€ Upload Snyk Results
if: always()
uses: github/codeql-action/upload-sarif@v3
continue-on-error: true
with:
sarif_file: snyk.sarif