Thank you for improving CVE Radar. This guide covers local checks and CI expectations.
make setup
make devWorkflows are grouped by prefix under .github/workflows/. Full map: .github/CI-CD.md.
| Category | CI job | Local command |
|---|---|---|
| CI | App (lint · typecheck · build) | make check |
| CI | Extended docs (MkDocs strict) | make extended-docs-check |
| CI | Docker image (build only) | docker build -t cve-radar:ci . |
| Security | npm audit | npm audit --omit=dev --audit-level=high |
| Security | pip audit | pip install pip-audit && pip-audit -r extended-docs/requirements.txt --strict |
| Security | dependency-review | Automatic on PRs (security-dependency-review.yml) |
| Security | CodeQL Analyze (javascript-typescript) | security-codeql.yml |
| Security | Trivy | docker build -t cve-radar:scan . then Trivy (security-container-trivy.yml) |
| Quality | Run tests and collect coverage | npm run test:ci → quality-codecov.yml |
| Quality | SonarCloud Code Analysis | npm run test:ci → .github/SONARCLOUD.md |
On the default branch, require at least:
- App (lint · typecheck · build)
- npm audit
- pip audit
- dependency-review (PRs)
- Extended docs (MkDocs strict)
- Analyze (javascript-typescript)
- SonarCloud Code Analysis (when
SONAR_TOKENis configured) - Run tests and collect coverage (optional; when
CODECOV_TOKENis set)
See .github/workflows/README.md and .github/ACTIONS-SECRETS.md.
- Update all six UI locales in
src/i18n/messages/when adding strings. - Product or API changes: sync
extended-docs/chapters and glossary. - Run
make checkbefore opening a PR.
- Dependabot and bot issues skip AI summarization.
- Add label
no-ai-summaryto opt out of the summarizer workflow.
npm run agent:installCopies agent/rules and agent/skills into .cursor/ after clone.