name: Security on: push: branches: [main] paths: - "package.json" pull_request: paths: - "package.json" schedule: # Runs every Monday morning PST - cron: "17 15 * * 1" # Cancel in-progress runs for pull requests when developers push additional # changes, and serialize builds in branches. concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: audit-ci: name: Audit node modules runs-on: ubuntu-latest timeout-minutes: 15 steps: - name: Checkout repo uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install Node.js uses: actions/setup-node@v4 with: node-version-file: .node-version - name: Audit yarn for vulnerabilities run: yarn audit if: success() - name: Audit npm for vulnerabilities run: npm shrinkwrap && npm audit if: success() trivy-scan-repo: name: Scan repo with Trivy permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-20.04 steps: - name: Checkout repo uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 with: scan-type: "fs" scan-ref: "." ignore-unfixed: true format: "template" template: "@/contrib/sarif.tpl" output: "trivy-repo-results.sarif" severity: "HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "trivy-repo-results.sarif" codeql-analyze: permissions: actions: read # for github/codeql-action/init to get workflow details contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze with CodeQL runs-on: ubuntu-20.04 steps: - name: Checkout repository uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: config-file: ./.github/codeql-config.yml languages: javascript - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3