Skip to content

Security

Security #15

Workflow file for this run

name: Security
on:
pull_request:
push:
branches:
- main
- master
workflow_dispatch:
schedule:
- cron: "23 3 * * 1"
permissions:
contents: read
jobs:
codeql:
name: CodeQL SAST
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 初始化 CodeQL
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
languages: javascript-typescript
queries: security-extended,security-and-quality
- name: 构建
run: npm ci && npm run build
- name: 分析
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
category: "/language:javascript-typescript"
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Semgrep
run: python3 -m pip install --disable-pip-version-check semgrep==1.155.0
- name: 扫描
run: |
semgrep \
--config p/ci \
--error \
--exclude node_modules \
--exclude dist \
--exclude .git \
--exclude output \
--exclude tmp \
.
sca:
name: SCA
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: npm
- name: 安装依赖
run: npm ci
- name: npm audit
run: npm run security:sca
- name: OSV Scanner
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
with:
scan-args: |-
--lockfile=package-lock.json
secrets:
name: Secret scan
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: npm
- name: 安装依赖
run: npm ci
- name: 扫描
run: npm run security:secrets
policy:
name: Repository policy
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: npm
- name: 安装依赖
run: npm ci
- name: 安全规范检查
run: npm run security:gates