Skip to content
Test (sast)

chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 #457

Sign in to view logs

chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0

chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 #457

Workflow file for this run

.github/workflows/test-sast.yml at 74192b5
name: "Test (sast)"
on:
pull_request:
schedule:
- cron: "43 3 * * 5"
workflow_dispatch:
env:
NODE_VERSION: 24.x
permissions:
contents: read
jobs:
# https://github.com/aquasecurity/trivy-action
trivy-vuln:
name: "Trivy: SCA"
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Trivy
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
with:
scanners: vuln
scan-type: fs
scan-ref: package-lock.json
hide-progress: true
ignore-unfixed: true
exit-code: 1
format: github
trivy-license:
name: "Trivy: Licensing"
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: |
npm ci --ignore-scripts
- name: Trivy
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
with:
scanners: license
scan-type: fs
scan-ref: .
hide-progress: true
exit-code: 0
format: table
# https://github.com/oss-review-toolkit/ort-ci-github-action
# ort:
# name: "OSS Review Toolkit: Licensing"
# runs-on: ubuntu-latest
# if: (github.actor != 'dependabot[bot]')
# steps:
# - name: Checkout repository
# uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# - name: OSS Review Toolkit (ORT)
# uses: oss-review-toolkit/ort-ci-github-action@1805edcf1f4f55f35ae6e4d2d9795ccfb29b6021 # 1.1.0
# with:
# allow-dynamic-versions: "true"
# ort-cli-args: "-P ort.analyzer.enabledPackageManagers=NPM"
# fail-on: "violations"
lockfile:
name: "lockfile-lint: SAST package-lock.json"
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: |
npm ci --ignore-scripts --workspace .github
- name: lockfile-lint
run: |
./node_modules/.bin/lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https
# https://github.com/github/codeql-action
codeql:
name: "CodeQL: SAST"
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [javascript]
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
with:
category: "/language:${{ matrix.language }}"
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions
semgrep:
name: "semgrep: SAST"
runs-on: ubuntu-latest
container:
# https://hub.docker.com/r/semgrep/semgrep/tags
image: semgrep/semgrep:1.111.0 # v1.111.0
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: semgrep
run: semgrep ci