Skip to content

ci: add security scanning workflow with Gitleaks, Trivy, and npm audit #46

ci: add security scanning workflow with Gitleaks, Trivy, and npm audit

ci: add security scanning workflow with Gitleaks, Trivy, and npm audit #46

Workflow file for this run

name: security
on:
push:
branches: [main]
pull_request:
schedule:
- cron: "0 6 * * 1"
workflow_dispatch:
permissions:
contents: read
concurrency:
group: security-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
gitleaks:
name: Secret detection
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
trivy:
name: Vulnerability scan
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
cache: npm
- name: Install dependencies
run: npm ci
- name: Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
severity: HIGH,CRITICAL
exit-code: 1
npm-audit:
name: npm audit
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
cache: npm
- name: Install dependencies
run: npm ci
- name: Audit production dependencies
run: npm audit --audit-level=high --omit=dev