-
Notifications
You must be signed in to change notification settings - Fork 0
143 lines (117 loc) · 5.32 KB
/
packages-security-audit.yml
File metadata and controls
143 lines (117 loc) · 5.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Dependency Vulnerability Audit
on:
workflow_dispatch:
pull_request:
types: [opened, synchronize, reopened]
jobs:
yarn-audit:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'yarn'
- name: Install dependencies with Yarn
run: yarn install --frozen-lockfile
- name: Run Yarn Audit
run: yarn audit --json > audit-results.json || true
- name: Parse audit and generate markdown report
id: summary
run: |
echo "### 🛡️ Yarn Audit Summary" > audit-summary.md
critical=0
high=0
moderate=0
low=0
critical=$(jq -r 'select(.type == "auditAdvisory") | .data.advisory.severity' audit-results.json | grep -c 'critical' || true)
high=$(jq -r 'select(.type == "auditAdvisory") | .data.advisory.severity' audit-results.json | grep -c 'high' || true)
moderate=$(jq -r 'select(.type == "auditAdvisory") | .data.advisory.severity' audit-results.json | grep -c 'moderate' || true)
low=$(jq -r 'select(.type == "auditAdvisory") | .data.advisory.severity' audit-results.json | grep -c 'low' || true)
echo "- **Critical**: $critical" >> audit-summary.md
echo "- **High**: $high" >> audit-summary.md
echo "- **Moderate**: $moderate" >> audit-summary.md
echo "- **Low**: $low" >> audit-summary.md
echo "" >> audit-summary.md
echo "### 🔍 Vulnerabilidades encontradas" >> audit-summary.md
echo "" >> audit-summary.md
echo "| Paquete | Severidad | Vía | Recomendación | Advisory |" >> audit-summary.md
echo "|---------|-----------|-----|----------------|----------|" >> audit-summary.md
jq -r '
select(.type == "auditAdvisory")
| [.data.advisory.module_name, .data.advisory.severity, (.data.advisory.findings[0].paths[0] // "N/A"), (.data.advisory.recommendation // "N/A"), (.data.advisory.url // "N/A")]
| @tsv
' audit-results.json | while IFS=$'\t' read -r name severity path recommendation url; do
echo "| \`$name\` | $severity | \`$path\` | $recommendation | [Link]($url) |" >> audit-summary.md
done
echo "" >> audit-summary.md
echo "🧪 Ejecuta \`yarn audit\` localmente para más detalles." >> audit-summary.md
echo "critical=$critical" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "low=$low" >> $GITHUB_OUTPUT
- name: Ensure badge directory exists
run: mkdir -p .github/badges
- name: Badge - Critical
uses: emibcn/badge-action@v2
with:
label: Críticas
status: ${{ steps.summary.outputs.critical }}
color: red
path: .github/badges/security-critical.svg
- name: Badge - High
uses: emibcn/badge-action@v2
with:
label: Altas
status: ${{ steps.summary.outputs.high }}
color: orange
path: .github/badges/security-high.svg
- name: Badge - Moderate
uses: emibcn/badge-action@v2
with:
label: Moderadas
status: ${{ steps.summary.outputs.moderate }}
color: yellow
path: .github/badges/security-moderate.svg
- name: Badge - Low
uses: emibcn/badge-action@v2
with:
label: Bajas
status: ${{ steps.summary.outputs.low }}
color: green
path: .github/badges/security-low.svg
- name: Update README.md with security badges
run: |
start_marker="<!-- security-badges:start -->"
end_marker="<!-- security-badges:end -->"
badges="[](audit-summary.md) [](audit-summary.md) [](audit-summary.md) [](audit-summary.md)"
if ! grep -q "$start_marker" README.md; then
echo -e "\n$start_marker\n$badges\n$end_marker" >> README.md
else
sed -i "/$start_marker/,/$end_marker/c\\$start_marker\n$badges\n$end_marker" README.md
fi
- name: Check for changes (only on PR, skip on act)
id: git_diff
if: github.event_name == 'pull_request'
run: |
if [ "${ACT}" = "true" ]; then
echo "Running locally with act - skipping git diff and commit."
echo "changes=false" >> $GITHUB_OUTPUT
exit 0
fi
git diff --exit-code || echo "changes=true" >> $GITHUB_OUTPUT
- name: Commit and push changes if any (only on PR, not in act)
if: github.event_name == 'pull_request' && steps.git_diff.outputs.changes == 'true' && env.ACT != 'true'
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: 'chore: update security badges in README'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Comment audit summary on PR
uses: marocchino/sticky-pull-request-comment@v2
with:
path: audit-summary.md