-
Notifications
You must be signed in to change notification settings - Fork 0
132 lines (110 loc) · 3.16 KB
/
Copy pathsecurity.yml
File metadata and controls
132 lines (110 loc) · 3.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Security
on:
pull_request:
push:
branches:
- main
- master
workflow_dispatch:
schedule:
- cron: "23 3 * * 1"
permissions:
contents: read
jobs:
codeql:
name: CodeQL SAST
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 初始化 CodeQL
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
languages: javascript-typescript
queries: security-extended,security-and-quality
- name: 构建
run: npm ci && npm run build
- name: 分析
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
category: "/language:javascript-typescript"
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Semgrep
run: python3 -m pip install --disable-pip-version-check semgrep==1.155.0
- name: 扫描
run: |
semgrep \
--config p/ci \
--error \
--exclude node_modules \
--exclude dist \
--exclude .git \
--exclude output \
--exclude tmp \
.
sca:
name: SCA
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: npm
- name: 安装依赖
run: npm ci
- name: npm audit
run: npm run security:sca
- name: OSV Scanner
uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
with:
scan-args: |-
--lockfile=package-lock.json
secrets:
name: Secret scan
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: npm
- name: 安装依赖
run: npm ci
- name: 扫描
run: npm run security:secrets
policy:
name: Repository policy
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 检出代码
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: 安装 Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: npm
- name: 安装依赖
run: npm ci
- name: 安全规范检查
run: npm run security:gates