-
Notifications
You must be signed in to change notification settings - Fork 0
ci: add security scanning (CodeQL, dependency review, secret scan) #110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 2 commits
2266395
a25b53e
6142a88
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| name: CodeQL | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| branches: [main] | ||
| schedule: | ||
| - cron: '27 4 * * 1' # Mondays 04:27 UTC | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| contents: read | ||
| actions: read | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: javascript-typescript | ||
| queries: security-extended | ||
|
|
||
| - name: Perform CodeQL analysis | ||
| uses: github/codeql-action/analyze@v3 | ||
| with: | ||
| category: '/language:javascript-typescript' |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| name: Security | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| # Flags a PR that introduces a dependency with a high+ advisory. | ||
| # Delta-based: gates NEW risk without tripping on pre-existing debt. | ||
| # | ||
| # NON-BLOCKING for now: this repo has the GitHub Dependency graph disabled, | ||
| # so the action cannot run yet. An admin must enable it under | ||
| # Settings → Code security → Dependency graph. Once enabled, remove | ||
| # `continue-on-error` below to turn this into a real gate. | ||
| dependency-review: | ||
| name: Dependency Review | ||
| if: github.event_name == 'pull_request' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Dependency review | ||
| uses: actions/dependency-review-action@v4 | ||
| continue-on-error: true | ||
| with: | ||
| fail-on-severity: high | ||
|
|
||
| # Scans the diff for committed secrets. TruffleHog is used instead of | ||
| # gitleaks-action, which requires a paid licence for organisation accounts. | ||
| secret-scan: | ||
| name: Secret Scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: TruffleHog | ||
| uses: trufflesecurity/trufflehog@main | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. style: |
||
| with: | ||
| extra_args: --results=verified,unknown | ||
|
|
||
| # Full-tree audit. Intentionally NON-BLOCKING for now: the tree currently | ||
| # has a pre-existing dev-only high advisory (vite/esbuild dev server). | ||
| # Flip `continue-on-error` off once the tree is clean. | ||
| npm-audit: | ||
| name: npm audit (advisory) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 24 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Audit | ||
| run: npm audit --audit-level=high | ||
| continue-on-error: true | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: making dependency-review
continue-on-errorwith the in-code TODO correctly resolves the prior red-check bug (this Security workflow failed on2266395, passes ona25b53e) — nicely documented in the surrounding comment. Minor follow-up gap: the PR description's Follow-ups list still omits enabling the repo Dependency graph (Settings → Code security), which is the prerequisite to flipcontinue-on-erroroff later. It's captured in the workflow comment (good) but not alongside secret-scanning + branch-protection in the description's tracking list.