-
Notifications
You must be signed in to change notification settings - Fork 1
130 lines (111 loc) · 3.56 KB
/
Copy pathsecurity.yml
File metadata and controls
130 lines (111 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: security
on:
push:
branches: [main]
pull_request:
schedule:
- cron: "0 6 * * 1"
workflow_dispatch:
permissions:
contents: read
concurrency:
group: security-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
npm-audit:
name: npm audit
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on:
- self-hosted
- macOS
- ARM64
- patchloom-vscode
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: .nvmrc
cache: npm
- name: Install dependencies
run: npm ci
- name: Audit production dependencies
run: npm audit --audit-level=high --omit=dev
trivy:
name: Trivy vulnerability scan
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on:
- self-hosted
- macOS
- ARM64
- patchloom-vscode
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: .nvmrc
cache: npm
- name: Install dependencies
run: npm ci
- name: Run Trivy filesystem scan
run: trivy fs --scanners vuln,misconfig --severity HIGH,CRITICAL --exit-code 1 .
gitleaks:
name: Gitleaks secret detection
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on:
- self-hosted
- macOS
- ARM64
- patchloom-vscode
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
fetch-depth: 0
- name: Run Gitleaks
run: gitleaks detect --source . --verbose
codeql:
name: CodeQL analysis
if: ${{ !github.event.repository.private }}
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
with:
languages: javascript-typescript,actions
- name: Autobuild
uses: github/codeql-action/autobuild@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
dependency-review:
name: Dependency review
if: ${{ !github.event.repository.private && github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Dependency review
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
with:
fail-on-severity: high