This repository was archived by the owner on Jan 29, 2026. It is now read-only.
Security Scanning #328
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly on Monday at 6 AM UTC | |
| workflow_dispatch: | |
| env: | |
| NODE_VERSION: '20' | |
| concurrency: | |
| group: security-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| dependency-check: | |
| name: Dependency Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run npm audit | |
| run: | | |
| echo "Running comprehensive npm audit..." | |
| # Basic audit for all levels | |
| npm audit --audit-level=moderate || echo "⚠️ Moderate vulnerabilities found" | |
| # Get detailed audit information | |
| npm audit --json > audit-results.json 2>/dev/null || echo "Could not generate JSON audit" | |
| # Check for high severity vulnerabilities | |
| if command -v jq >/dev/null 2>&1; then | |
| HIGH_VULNS=$(cat audit-results.json | jq '.metadata.vulnerabilities.high // 0' 2>/dev/null || echo "0") | |
| CRITICAL_VULNS=$(cat audit-results.json | jq '.metadata.vulnerabilities.critical // 0' 2>/dev/null || echo "0") | |
| else | |
| # Fallback method without jq | |
| HIGH_VULNS=$(npm audit --audit-level=high --json 2>/dev/null | grep -o '"high":[0-9]*' | cut -d: -f2 || echo "0") | |
| CRITICAL_VULNS=$(npm audit --audit-level=critical --json 2>/dev/null | grep -o '"critical":[0-9]*' | cut -d: -f2 || echo "0") | |
| fi | |
| echo "High severity vulnerabilities: $HIGH_VULNS" | |
| echo "Critical severity vulnerabilities: $CRITICAL_VULNS" | |
| # Create summary | |
| echo "## Security Audit Summary" > audit-summary.md | |
| echo "- High severity vulnerabilities: $HIGH_VULNS" >> audit-summary.md | |
| echo "- Critical severity vulnerabilities: $CRITICAL_VULNS" >> audit-summary.md | |
| echo "- Audit date: $(date)" >> audit-summary.md | |
| if [ "$CRITICAL_VULNS" != "0" ] && [ "$CRITICAL_VULNS" -gt 0 ] 2>/dev/null; then | |
| echo "❌ Critical vulnerabilities found!" | |
| npm audit --audit-level=critical || true | |
| exit 1 | |
| elif [ "$HIGH_VULNS" != "0" ] && [ "$HIGH_VULNS" -gt 0 ] 2>/dev/null; then | |
| echo "⚠️ High severity vulnerabilities found!" | |
| npm audit --audit-level=high || true | |
| # Don't fail on high severity, but warn | |
| else | |
| echo "✅ No critical or high severity vulnerabilities found" | |
| fi | |
| - name: Upload audit results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-audit-results | |
| path: | | |
| audit-results.json | |
| audit-summary.md | |
| retention-days: 30 | |
| - name: Run dependency vulnerability scan | |
| uses: actions/dependency-review-action@v4 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| fail-on-severity: high | |
| allow-licenses: MIT, Apache-2.0, BSD-3-Clause, BSD-2-Clause, ISC, GPL-3.0 | |
| codeql-analysis: | |
| name: CodeQL Security Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'typescript' ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended,security-and-quality | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build project | |
| run: npm run build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| secrets-scan: | |
| name: Secrets Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| license-scan: | |
| name: License Compliance | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Install license checker | |
| run: npm install -g license-checker | |
| - name: Check licenses | |
| run: | | |
| echo "Checking licenses..." | |
| license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause;BSD-2-Clause;ISC;GPL-3.0;Unlicense;CC0-1.0' --excludePrivatePackages > licenses.txt | |
| echo "License summary:" | |
| cat licenses.txt | |
| - name: Upload license report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: license-report | |
| path: licenses.txt | |
| retention-days: 30 | |
| security-summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [dependency-check, codeql-analysis, secrets-scan, license-scan] | |
| if: always() | |
| steps: | |
| - name: Security Report Summary | |
| run: | | |
| echo "## 🔒 Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| Dependency Scan | ${{ needs.dependency-check.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| CodeQL Analysis | ${{ needs.codeql-analysis.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Secrets Detection | ${{ needs.secrets-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| License Compliance | ${{ needs.license-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [[ "${{ needs.dependency-check.result }}" == "failure" || "${{ needs.codeql-analysis.result }}" == "failure" || "${{ needs.secrets-scan.result }}" == "failure" ]]; then | |
| echo "❌ Security scan failed! Please review the issues above." >> $GITHUB_STEP_SUMMARY | |
| exit 1 | |
| else | |
| echo "✅ All security scans passed!" >> $GITHUB_STEP_SUMMARY | |
| fi |