acc50a5d36
* Update dependencies and force-update qs This is mainly an attempt to get rid of as many resolutions as possible since it seems they are unnecessary except for qs (according to yarn/npm audit). For qs use 6.9.7 since Express is using 6.9.6 and that matches the most closely. Also add overrides since this is npm's version of yarn's resolutions and we need it for the shrinkwrap to generate with the right dependencies. Decided to keep pinning @types/node as well although I am not sure it is necessary. Express is pulling in v20 types. Since this is development-only we only need it in resolutions. * Run formatter Some rules seem to have changed with the dependency updates. * Replace deprecated bodyParser.json() usage * Audit npm shrinkwrap as well * Skip installing dependencies in audit It seems the tools only require the lock files. * Fix tests when using ipv6 * Add missing openssl dependency to flake
97 lines
2.6 KiB
YAML
97 lines
2.6 KiB
YAML
name: Security
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- "package.json"
|
|
pull_request:
|
|
paths:
|
|
- "package.json"
|
|
schedule:
|
|
# Runs every Monday morning PST
|
|
- cron: "17 15 * * 1"
|
|
|
|
# Cancel in-progress runs for pull requests when developers push additional
|
|
# changes, and serialize builds in branches.
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
jobs:
|
|
audit-ci:
|
|
name: Audit node modules
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install Node.js v18
|
|
uses: actions/setup-node@v3
|
|
with:
|
|
node-version: "18"
|
|
|
|
- name: Audit yarn for vulnerabilities
|
|
run: yarn audit
|
|
if: success()
|
|
|
|
- name: Audit npm for vulnerabilities
|
|
run: npm shrinkwrap && npm audit
|
|
if: success()
|
|
|
|
trivy-scan-repo:
|
|
name: Scan repo with Trivy
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
runs-on: ubuntu-20.04
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run Trivy vulnerability scanner in repo mode
|
|
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
|
|
with:
|
|
scan-type: "fs"
|
|
scan-ref: "."
|
|
ignore-unfixed: true
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-repo-results.sarif"
|
|
severity: "HIGH,CRITICAL"
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: "trivy-repo-results.sarif"
|
|
|
|
codeql-analyze:
|
|
permissions:
|
|
actions: read # for github/codeql-action/init to get workflow details
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/autobuild to send a status report
|
|
name: Analyze with CodeQL
|
|
runs-on: ubuntu-20.04
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v3
|
|
|
|
# Initializes the CodeQL tools for scanning.
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v2
|
|
with:
|
|
config-file: ./.github/codeql-config.yml
|
|
languages: javascript
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@v2
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v2
|