name: Security on: push: branches: [main] paths: - "package.json" pull_request: paths: - "package.json" schedule: # Runs every Monday morning PST - cron: "17 15 * * 1" # Cancel in-progress runs for pull requests when developers push # additional changes, and serialize builds in branches. # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: audit-ci: name: Audit node modules runs-on: ubuntu-latest timeout-minutes: 15 steps: - name: Checkout repo uses: actions/checkout@v3 with: fetch-depth: 0 - name: Install Node.js v16 uses: actions/setup-node@v3 with: node-version: "16" - name: Fetch dependencies from cache id: cache-yarn uses: actions/cache@v3 with: path: "**/node_modules" key: yarn-build-${{ hashFiles('**/yarn.lock') }} restore-keys: | yarn-build- - name: Install dependencies if: steps.cache-yarn.outputs.cache-hit != 'true' run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile - name: Audit for vulnerabilities run: yarn _audit if: success() trivy-scan-repo: name: Scan repo with Trivy permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-20.04 steps: - name: Checkout repo uses: actions/checkout@v3 with: fetch-depth: 0 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@cff3e9a7f62c41dd51975266d0ae235709e39c41 with: scan-type: "fs" scan-ref: "." ignore-unfixed: true format: "template" template: "@/contrib/sarif.tpl" output: "trivy-repo-results.sarif" severity: "HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: "trivy-repo-results.sarif" codeql-analyze: permissions: actions: read # for github/codeql-action/init to get workflow details contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze with CodeQL runs-on: ubuntu-20.04 steps: - name: Checkout repository uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: config-file: ./.github/codeql-config.yml languages: javascript - name: Autobuild uses: github/codeql-action/autobuild@v2 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2