File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ name : CodeQL
2+
3+ on :
4+ push :
5+ branches : [main]
6+ pull_request :
7+ branches : [main]
8+ schedule :
9+ - cron : ' 27 4 * * 1' # Mondays 04:27 UTC
10+
11+ permissions :
12+ contents : read
13+
14+ jobs :
15+ analyze :
16+ name : Analyze
17+ runs-on : ubuntu-latest
18+ permissions :
19+ security-events : write
20+ contents : read
21+ actions : read
22+ steps :
23+ - name : Checkout
24+ uses : actions/checkout@v6
25+
26+ - name : Initialize CodeQL
27+ uses : github/codeql-action/init@v3
28+ with :
29+ languages : javascript-typescript
30+ queries : security-extended
31+
32+ - name : Perform CodeQL analysis
33+ uses : github/codeql-action/analyze@v3
34+ with :
35+ category : ' /language:javascript-typescript'
Original file line number Diff line number Diff line change 1+ name : Security
2+
3+ on :
4+ push :
5+ branches : [main]
6+ pull_request :
7+
8+ permissions :
9+ contents : read
10+
11+ jobs :
12+ # Fails a PR that introduces a dependency with a high+ advisory.
13+ # Delta-based: gates NEW risk without tripping on pre-existing debt.
14+ dependency-review :
15+ name : Dependency Review
16+ if : github.event_name == 'pull_request'
17+ runs-on : ubuntu-latest
18+ steps :
19+ - name : Checkout
20+ uses : actions/checkout@v6
21+
22+ - name : Dependency review
23+ uses : actions/dependency-review-action@v4
24+ with :
25+ fail-on-severity : high
26+
27+ # Scans the diff for committed secrets. TruffleHog is used instead of
28+ # gitleaks-action, which requires a paid licence for organisation accounts.
29+ secret-scan :
30+ name : Secret Scan
31+ runs-on : ubuntu-latest
32+ steps :
33+ - name : Checkout
34+ uses : actions/checkout@v6
35+ with :
36+ fetch-depth : 0
37+
38+ - name : TruffleHog
39+ uses : trufflesecurity/trufflehog@main
40+ with :
41+ extra_args : --results=verified,unknown
42+
43+ # Full-tree audit. Intentionally NON-BLOCKING for now: the tree currently
44+ # has a pre-existing dev-only high advisory (vite/esbuild dev server).
45+ # Flip `continue-on-error` off once the tree is clean.
46+ npm-audit :
47+ name : npm audit (advisory)
48+ runs-on : ubuntu-latest
49+ steps :
50+ - name : Checkout
51+ uses : actions/checkout@v6
52+
53+ - name : Setup Node
54+ uses : actions/setup-node@v6
55+ with :
56+ node-version : 24
57+ cache : npm
58+
59+ - name : Install dependencies
60+ run : npm ci
61+
62+ - name : Audit
63+ run : npm audit --audit-level=high
64+ continue-on-error : true
You can’t perform that action at this time.
0 commit comments