File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ # CodeQL is FREE on public repos. On private repos the SARIF upload step
2+ # requires GitHub Advanced Security. This job auto-skips when the repo is
3+ # private so the workflow doesn't fail loudly — flip the repo public and it
4+ # runs automatically.
5+
6+ name : codeql
7+
8+ on :
9+ pull_request :
10+ branches : [master, main]
11+ push :
12+ branches : [master, main]
13+ schedule :
14+ - cron : " 21 4 * * 1"
15+
16+ jobs :
17+ analyze :
18+ name : analyze (${{ matrix.language }})
19+ if : ${{ github.event.repository.visibility == 'public' }}
20+ runs-on : ubuntu-latest
21+ permissions :
22+ actions : read
23+ contents : read
24+ security-events : write
25+
26+ strategy :
27+ fail-fast : false
28+ matrix :
29+ language : [javascript-typescript]
30+
31+ steps :
32+ - uses : actions/checkout@v4
33+ - uses : github/codeql-action/init@v3
34+ with :
35+ languages : ${{ matrix.language }}
36+ queries : security-and-quality
37+ - uses : github/codeql-action/autobuild@v3
38+ - uses : github/codeql-action/analyze@v3
39+ with :
40+ category : " /language:${{ matrix.language }}"
Original file line number Diff line number Diff line change 1+ name : security
2+
3+ on :
4+ pull_request :
5+ branches : [master, main]
6+ push :
7+ branches : [master, main]
8+ schedule :
9+ - cron : " 11 6 * * 1"
10+
11+ jobs :
12+ semgrep :
13+ name : semgrep
14+ runs-on : ubuntu-latest
15+ if : github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
16+ container :
17+ image : semgrep/semgrep
18+ steps :
19+ - uses : actions/checkout@v4
20+ - run : |
21+ semgrep scan --error --severity ERROR \
22+ --config p/javascript \
23+ --config p/typescript \
24+ --config p/owasp-top-ten \
25+ --config p/secrets
26+
27+ npm-audit :
28+ name : npm audit
29+ runs-on : ubuntu-latest
30+ steps :
31+ - uses : actions/checkout@v4
32+ - uses : actions/setup-node@v4
33+ with :
34+ node-version : 20
35+ - name : Audit (skip when no package.json)
36+ run : |
37+ if [ -f package.json ]; then
38+ (npm ci --no-audit --no-fund 2>/dev/null || npm install --no-audit --no-fund)
39+ npm audit --audit-level=high
40+ else
41+ echo "no package.json — skipping npm audit"
42+ fi
43+
44+ gitleaks :
45+ name : gitleaks
46+ runs-on : ubuntu-latest
47+ steps :
48+ - uses : actions/checkout@v4
49+ with :
50+ fetch-depth : 0
51+ - name : Install gitleaks
52+ run : |
53+ VERSION=8.21.2
54+ curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
55+ | tar -xz -C /usr/local/bin gitleaks
56+ gitleaks version
57+ - name : Scan history
58+ run : gitleaks detect --source . --redact --verbose --no-banner --exit-code 1
You can’t perform that action at this time.
0 commit comments