Skip to content

Commit 0f83193

Browse files
authored
ci: add security scanning (CodeQL, dependency review, secret scan) (#110)
* ci: add security scanning (CodeQL, dependency review, secret scan) * ci: make dependency review non-blocking until dependency graph is enabled * ci: enable dependency review gate now that the dependency graph is on
1 parent 3d9e41a commit 0f83193

2 files changed

Lines changed: 99 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
schedule:
9+
- cron: '27 4 * * 1' # Mondays 04:27 UTC
10+
11+
permissions:
12+
contents: read
13+
14+
jobs:
15+
analyze:
16+
name: Analyze
17+
runs-on: ubuntu-latest
18+
permissions:
19+
security-events: write
20+
contents: read
21+
actions: read
22+
steps:
23+
- name: Checkout
24+
uses: actions/checkout@v6
25+
26+
- name: Initialize CodeQL
27+
uses: github/codeql-action/init@v3
28+
with:
29+
languages: javascript-typescript
30+
queries: security-extended
31+
32+
- name: Perform CodeQL analysis
33+
uses: github/codeql-action/analyze@v3
34+
with:
35+
category: '/language:javascript-typescript'

.github/workflows/security.yml

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
name: Security
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
8+
permissions:
9+
contents: read
10+
11+
jobs:
12+
# Fails a PR that introduces a dependency with a high+ advisory.
13+
# Delta-based: gates NEW risk without tripping on pre-existing debt.
14+
dependency-review:
15+
name: Dependency Review
16+
if: github.event_name == 'pull_request'
17+
runs-on: ubuntu-latest
18+
steps:
19+
- name: Checkout
20+
uses: actions/checkout@v6
21+
22+
- name: Dependency review
23+
uses: actions/dependency-review-action@v4
24+
with:
25+
fail-on-severity: high
26+
27+
# Scans the diff for committed secrets. TruffleHog is used instead of
28+
# gitleaks-action, which requires a paid licence for organisation accounts.
29+
secret-scan:
30+
name: Secret Scan
31+
runs-on: ubuntu-latest
32+
steps:
33+
- name: Checkout
34+
uses: actions/checkout@v6
35+
with:
36+
fetch-depth: 0
37+
38+
- name: TruffleHog
39+
uses: trufflesecurity/trufflehog@main
40+
with:
41+
extra_args: --results=verified,unknown
42+
43+
# Full-tree audit. Intentionally NON-BLOCKING for now: the tree currently
44+
# has a pre-existing dev-only high advisory (vite/esbuild dev server).
45+
# Flip `continue-on-error` off once the tree is clean.
46+
npm-audit:
47+
name: npm audit (advisory)
48+
runs-on: ubuntu-latest
49+
steps:
50+
- name: Checkout
51+
uses: actions/checkout@v6
52+
53+
- name: Setup Node
54+
uses: actions/setup-node@v6
55+
with:
56+
node-version: 24
57+
cache: npm
58+
59+
- name: Install dependencies
60+
run: npm ci
61+
62+
- name: Audit
63+
run: npm audit --audit-level=high
64+
continue-on-error: true

0 commit comments

Comments
 (0)