chore(deps-dev): bump @secretlint/secretlint-rule-preset-recommend from 12.0.0 to 13.0.2 #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| - master | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "23 3 * * 1" | |
| permissions: | |
| contents: read | |
| jobs: | |
| codeql: | |
| name: CodeQL SAST | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: 检出代码 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: 初始化 CodeQL | |
| uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-extended,security-and-quality | |
| - name: 构建 | |
| run: npm ci && npm run build | |
| - name: 分析 | |
| uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 | |
| with: | |
| category: "/language:javascript-typescript" | |
| semgrep: | |
| name: Semgrep SAST | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: 检出代码 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: 安装 Semgrep | |
| run: python3 -m pip install --disable-pip-version-check semgrep==1.155.0 | |
| - name: 扫描 | |
| run: | | |
| semgrep \ | |
| --config p/ci \ | |
| --error \ | |
| --exclude node_modules \ | |
| --exclude dist \ | |
| --exclude .git \ | |
| --exclude output \ | |
| --exclude tmp \ | |
| . | |
| sca: | |
| name: SCA | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: 检出代码 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: 安装 Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: "22" | |
| cache: npm | |
| - name: 安装依赖 | |
| run: npm ci | |
| - name: npm audit | |
| run: npm run security:sca | |
| - name: OSV Scanner | |
| uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 | |
| with: | |
| scan-args: |- | |
| --lockfile=package-lock.json | |
| secrets: | |
| name: Secret scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: 检出代码 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: 安装 Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: "22" | |
| cache: npm | |
| - name: 安装依赖 | |
| run: npm ci | |
| - name: 扫描 | |
| run: npm run security:secrets | |
| policy: | |
| name: Repository policy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: 检出代码 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: 安装 Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: "22" | |
| cache: npm | |
| - name: 安装依赖 | |
| run: npm ci | |
| - name: 安全规范检查 | |
| run: npm run security:gates |