Skip to content

Commit 656c82c

Browse files
ralyodioclaude
andcommitted
add free security workflows (semgrep + npm audit + gitleaks, codeql when public)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 6c41d3e commit 656c82c

2 files changed

Lines changed: 98 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
# CodeQL is FREE on public repos. On private repos the SARIF upload step
2+
# requires GitHub Advanced Security. This job auto-skips when the repo is
3+
# private so the workflow doesn't fail loudly — flip the repo public and it
4+
# runs automatically.
5+
6+
name: codeql
7+
8+
on:
9+
pull_request:
10+
branches: [master, main]
11+
push:
12+
branches: [master, main]
13+
schedule:
14+
- cron: "21 4 * * 1"
15+
16+
jobs:
17+
analyze:
18+
name: analyze (${{ matrix.language }})
19+
if: ${{ github.event.repository.visibility == 'public' }}
20+
runs-on: ubuntu-latest
21+
permissions:
22+
actions: read
23+
contents: read
24+
security-events: write
25+
26+
strategy:
27+
fail-fast: false
28+
matrix:
29+
language: [javascript-typescript]
30+
31+
steps:
32+
- uses: actions/checkout@v4
33+
- uses: github/codeql-action/init@v3
34+
with:
35+
languages: ${{ matrix.language }}
36+
queries: security-and-quality
37+
- uses: github/codeql-action/autobuild@v3
38+
- uses: github/codeql-action/analyze@v3
39+
with:
40+
category: "/language:${{ matrix.language }}"

.github/workflows/security.yml

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
name: security
2+
3+
on:
4+
pull_request:
5+
branches: [master, main]
6+
push:
7+
branches: [master, main]
8+
schedule:
9+
- cron: "11 6 * * 1"
10+
11+
jobs:
12+
semgrep:
13+
name: semgrep
14+
runs-on: ubuntu-latest
15+
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
16+
container:
17+
image: semgrep/semgrep
18+
steps:
19+
- uses: actions/checkout@v4
20+
- run: |
21+
semgrep scan --error --severity ERROR \
22+
--config p/javascript \
23+
--config p/typescript \
24+
--config p/owasp-top-ten \
25+
--config p/secrets
26+
27+
npm-audit:
28+
name: npm audit
29+
runs-on: ubuntu-latest
30+
steps:
31+
- uses: actions/checkout@v4
32+
- uses: actions/setup-node@v4
33+
with:
34+
node-version: 20
35+
- name: Audit (skip when no package.json)
36+
run: |
37+
if [ -f package.json ]; then
38+
(npm ci --no-audit --no-fund 2>/dev/null || npm install --no-audit --no-fund)
39+
npm audit --audit-level=high
40+
else
41+
echo "no package.json — skipping npm audit"
42+
fi
43+
44+
gitleaks:
45+
name: gitleaks
46+
runs-on: ubuntu-latest
47+
steps:
48+
- uses: actions/checkout@v4
49+
with:
50+
fetch-depth: 0
51+
- name: Install gitleaks
52+
run: |
53+
VERSION=8.21.2
54+
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
55+
| tar -xz -C /usr/local/bin gitleaks
56+
gitleaks version
57+
- name: Scan history
58+
run: gitleaks detect --source . --redact --verbose --no-banner --exit-code 1

0 commit comments

Comments
 (0)