diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c602d0130..19eb57fe0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -62,40 +62,6 @@ jobs: run: yarn lint if: success() - audit-ci: - name: Run audit-ci - needs: prebuild - runs-on: ubuntu-latest - timeout-minutes: 15 - steps: - - name: Checkout repo - uses: actions/checkout@v3 - with: - fetch-depth: 0 - submodules: true - - - name: Install Node.js v16 - uses: actions/setup-node@v3 - with: - node-version: "16" - - - name: Fetch dependencies from cache - id: cache-yarn - uses: actions/cache@v3 - with: - path: "**/node_modules" - key: yarn-build-${{ hashFiles('**/yarn.lock') }} - restore-keys: | - yarn-build- - - - name: Install dependencies - if: steps.cache-yarn.outputs.cache-hit != 'true' - run: yarn --frozen-lockfile - - - name: Audit for vulnerabilities - run: yarn _audit - if: success() - build: name: Build needs: prebuild @@ -596,30 +562,3 @@ jobs: - name: Remove release packages and test artifacts run: rm -rf ./release-packages ./test/test-results - - trivy-scan-repo: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-20.04 - steps: - - name: Checkout repo - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac - with: - scan-type: "fs" - scan-ref: "." - ignore-unfixed: true - format: "template" - template: "@/contrib/sarif.tpl" - output: "trivy-repo-results.sarif" - severity: "HIGH,CRITICAL" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: "trivy-repo-results.sarif" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 56339a1cc..000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Code Scanning" - -on: - push: - branches: [main] - pull_request: - # The branches below must be a subset of the branches above - branches: [main] - schedule: - # Runs every Monday morning PST - - cron: "17 15 * * 1" - -# Cancel in-progress runs for pull requests when developers push -# additional changes, and serialize builds in branches. -# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - -permissions: - contents: read - -jobs: - analyze: - permissions: - actions: read # for github/codeql-action/init to get workflow details - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/autobuild to send a status report - name: Analyze - runs-on: ubuntu-20.04 - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - config-file: ./.github/codeql-config.yml - languages: javascript - - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 000000000..80d73ddbf --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,103 @@ +name: "Security Scanning" + +on: + push: + branches: [main] + pull_request: + # The branches below must be a subset of the branches above + branches: [main] + schedule: + # Runs every Monday morning PST + - cron: "17 15 * * 1" + +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + audit-ci: + name: Run audit-ci + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install Node.js v16 + uses: actions/setup-node@v3 + with: + node-version: "16" + + - name: Fetch dependencies from cache + id: cache-yarn + uses: actions/cache@v3 + with: + path: "**/node_modules" + key: yarn-build-${{ hashFiles('**/yarn.lock') }} + restore-keys: | + yarn-build- + + - name: Install dependencies + if: steps.cache-yarn.outputs.cache-hit != 'true' + run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile + + - name: Audit for vulnerabilities + run: yarn _audit + if: success() + + trivy-scan-repo: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-20.04 + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac + with: + scan-type: "fs" + scan-ref: "." + ignore-unfixed: true + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-repo-results.sarif" + severity: "HIGH,CRITICAL" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-repo-results.sarif" + + codeql-analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report + name: Analyze + runs-on: ubuntu-20.04 + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + config-file: ./.github/codeql-config.yml + languages: javascript + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2