ci: add CVE Lite dependency audit workflow#1966
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 08f94564f3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if: always() && hashFiles('*.sarif') != '' | ||
| uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 | ||
| with: | ||
| sarif_file: cve-lite-*.sarif |
There was a problem hiding this comment.
Point upload-sarif at a real path
In runs where CVE Lite writes its timestamped cve-lite-scan-<timestamp>.sarif, this input is passed literally to github/codeql-action/upload-sarif; the upload action documents sarif_file as a file or directory and its implementation checks the path with fs.existsSync, so it does not expand cve-lite-*.sarif. Because the preceding hashFiles('*.sarif') guard will be true, the upload step fails with Path does not exist: cve-lite-*.sarif instead of publishing the scan results; use the workspace/directory path or a fixed filename.
Useful? React with 👍 / 👎.
This PR adds a CVE Lite CLI dependency audit workflow to the openai-node CI pipeline.
A scan of the current
pnpm-lock.yamlfound 1 high-severity advisory in a direct dependency:Direct high-severity finding:
next@14.2.35inexamples/- authorization bypass via improper cache handling (CVE-2025-29927, GHSA-f82v-jwr5-mffw) - fix:pnpm add --filter ./examples next@15.5.16The
examples/directory is part of the published repository and runs a Next.js app that developers clone and run locally. An unpatched version ofnextin a reference implementation can propagate into downstream projects that copy the example code.The workflow runs on push, pull request, and weekly schedule. Findings are uploaded to GitHub's Security tab as SARIF.
Tool: CVE Lite CLI is an OWASP Lab Project. It reads the lockfile locally, queries the OSV database, and surfaces direct dependency findings with actionable fix commands.