chore(deps): Bump github/codeql-action from 3.36.2 to 4.36.2 #77

Workflow file for this run

.github/workflows/security.yml at 0383226

	name: security

	on:
	push:
	branches: [main]
	pull_request:
	schedule:
	- cron: "0 6 * * 1"
	workflow_dispatch:

	permissions:
	contents: read

	concurrency:
	group: security-${{ github.ref }}
	cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

	jobs:
	npm-audit:
	name: npm audit
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
	with:
	node-version-file: .nvmrc
	cache: npm

	- name: Install dependencies
	run: npm ci

	- name: Audit production dependencies
	run: npm audit --audit-level=high --omit=dev

	trivy:
	name: Trivy vulnerability scan
	runs-on: ubuntu-latest
	timeout-minutes: 10
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
	with:
	node-version-file: .nvmrc
	cache: npm

	- name: Install dependencies
	run: npm ci

	- name: Run Trivy filesystem scan
	uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
	with:
	scan-type: fs
	scanners: vuln,misconfig
	severity: HIGH,CRITICAL
	exit-code: "1"

	gitleaks:
	name: Gitleaks secret detection
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false
	fetch-depth: 0

	- name: Run Gitleaks
	uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
	env:
	GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

	codeql:
	name: CodeQL analysis
	runs-on: ubuntu-latest
	timeout-minutes: 15
	permissions:
	security-events: write
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Initialize CodeQL
	uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
	with:
	languages: javascript-typescript,actions

	- name: Autobuild
	uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

	- name: Perform CodeQL analysis
	uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

	dependency-review:
	name: Dependency review
	if: github.event_name == 'pull_request'
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Dependency review
	uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
	with:
	fail-on-severity: high

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): Bump github/codeql-action from 3.36.2 to 4.36.2 #77

Workflow file

chore(deps): Bump github/codeql-action from 3.36.2 to 4.36.2 #77

Uh oh!

Workflow file for this run