ci: add security scanning (CodeQL, dependency review, secret scan)#110
Conversation
|
On it, @rubenhensen! I'm reviewing the security scanning workflows in this PR for correctness and rule-compliance, and will follow up with a consolidated review. |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Dobby review — CI security-scanning PR.
Rule compliance: ran the full memory rule set (74 org rules + 3 postguard-business repo notes) against the diff — all clean, no violations. The PR title is conventional-commit compliant (ci:), it's ready-for-review from a human maintainer, and Closes #103 is present.
CI / tests: all PR checks are green on a25b53e (the earlier dependency-review red check is now fixed via continue-on-error). The npm audit --audit-level=high claim reproduces locally: exit 1 from the vite/esbuild dev-server advisory — dev-only and Windows-only, so correctly gated non-blocking.
No blocking problems. Two non-blocking notes inline (1 style, 1 nit) — neither should hold up merge.
| fetch-depth: 0 | ||
|
|
||
| - name: TruffleHog | ||
| uses: trufflesecurity/trufflehog@main |
There was a problem hiding this comment.
style: trufflesecurity/trufflehog is pinned to the mutable @main ref. In a security-hardening PR this is itself a supply-chain risk — unreviewed upstream changes would execute in CI with checkout access to the repo. Pin to a release tag or commit SHA, consistent with every other action in these two workflows (checkout@v6, dependency-review-action@v4, setup-node@v6, codeql-action/init+analyze@v3).
|
|
||
| - name: Dependency review | ||
| uses: actions/dependency-review-action@v4 | ||
| continue-on-error: true |
There was a problem hiding this comment.
nit: making dependency-review continue-on-error with the in-code TODO correctly resolves the prior red-check bug (this Security workflow failed on 2266395, passes on a25b53e) — nicely documented in the surrounding comment. Minor follow-up gap: the PR description's Follow-ups list still omits enabling the repo Dependency graph (Settings → Code security), which is the prerequisite to flip continue-on-error off later. It's captured in the workflow comment (good) but not alongside secret-scanning + branch-protection in the description's tracking list.
|
Reviewed! All 74 org rules + repo-specific notes came back clean — no violations, CI is green, conventional commit title checks out, and
Otherwise this looks ready for a human maintainer to merge. 🟢 |
Closes #103.
Adds automated security scanning to CI. Kept as standalone workflows so the existing
ci.yml(build / test / release) stays focused. These workflows run on this PR, so their first results are visible in the Checks tab.What's added
.github/workflows/codeql.yml— CodeQL SAST for JavaScript/TypeScript on PRs, pushes tomain, and a weekly schedule (security-extendedquery pack). Findings surface in the Security tab..github/workflows/security.ymlhigh+ advisory. Delta-based, so it gates new risk without tripping on pre-existing debt. Active gate (the Dependency graph has been enabled on the repo).gitleaks-action, which requires a paid licence for organisation accounts.)npm audit --audit-level=high, intentionally non-blocking (continue-on-error).Why
npm auditis non-blockingnpm auditcurrently reports 1 high advisory — a Windows-only dev-server issue invite/esbuild, which are dev dependencies and not in the runtime image. Gating on the full tree would fail CI immediately on pre-existing, low-real-risk debt. The advisory job keeps it visible; cleaning it up (npm audit fix) is better handled as its own dependency bump. Flipcontinue-on-erroroff once the tree is clean.Follow-ups (repo settings — can't be done in a PR)
vite/esbuildadvisory (npm audit fix) and flip thenpm auditjob to blocking.