Skip to content

Commit 3f9f9a7

Browse files
NoResponseMateNoResponseMate
committed
quickie
1 parent 7527657 commit 3f9f9a7

File tree

1 file changed

+28
-6
lines changed

1 file changed

+28
-6
lines changed

.github/workflows/build.yaml

Lines changed: 28 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -192,21 +192,43 @@ jobs:
192192
name: Load fixtures in test application
193193
run: (cd tests/Application && bin/console sylius:fixtures:load -n)
194194

195-
- name: Run security checks
195+
- name: Run Security Checks
196196
run: |
197197
set -e
198-
composer audit --no-interaction
199-
200-
symfony security:check --format=json > security.json || true
198+
199+
composer audit --no-interaction --format=json > composer-audit.json || AUDIT_EXIT=$?
200+
201+
if [ "${AUDIT_EXIT:-0}" -ne 0 ]; then
202+
IGNORED=$(jq -r '.config.audit.ignore[]?' composer.json | sort || true)
203+
FOUND=$(jq -r '.advisories[].advisories[].cve? // empty' composer-audit.json | sort | uniq)
204+
205+
DIFF=$(comm -23 <(echo "$FOUND") <(echo "$IGNORED"))
206+
207+
if [ -n "$DIFF" ]; then
208+
echo "❌ New vulnerabilities found by Composer audit:"
209+
echo "$DIFF"
210+
exit 1
211+
else
212+
echo "✅ Only ignored CVEs found in Composer audit."
213+
fi
214+
else
215+
echo "✅ No vulnerabilities found by Composer audit."
216+
fi
217+
218+
symfony security:check --format=json > symfony-audit.json || true
219+
201220
jq --argjson ignore "$(jq '.config.audit.ignore' composer.json)" '
202221
.vulnerabilities
203222
| map(select(.cve | IN($ignore[]) | not))
204223
| if length > 0 then
205-
(error("New vulnerabilities found: " + (map(.cve) | join(", "))))
224+
(error("New vulnerabilities found by Symfony: " + (map(.cve) | join(", "))))
206225
else
207226
empty
208227
end
209-
' security.json
228+
' symfony-audit.json
229+
230+
echo
231+
echo "✅ All security checks passed (ignored CVEs excluded)."
210232
211233
-
212234
name: Run ECS

0 commit comments

Comments
 (0)