|
38 | 38 | if: always() |
39 | 39 | uses: davelosert/vitest-coverage-report-action@v2 |
40 | 40 |
|
41 | | -# semgrep_scan: |
42 | | -# name: semgrep/ci |
43 | | -# runs-on: ubuntu-latest |
44 | | -# container: |
45 | | -# image: returntocorp/semgrep |
46 | | -# # Skip any PR created by dependabot to avoid permission issues: |
47 | | -# if: (github.actor != 'dependabot[bot]') |
48 | | -# permissions: |
49 | | -# security-events: write |
50 | | -# actions: read |
51 | | -# contents: read |
52 | | -# steps: |
53 | | -# - name: Checkout repository |
54 | | -# uses: actions/checkout@v4 |
55 | | -# |
56 | | -# - name: Perform Semgrep Analysis (fails on findings) |
57 | | -# run: semgrep scan -q --error --config auto --sarif -o semgrep-results.sarif . |
58 | | -# |
59 | | -# - name: Save SARIF results as artifact |
60 | | -# uses: actions/upload-artifact@v4 |
61 | | -# with: |
62 | | -# name: semgrep-scan-results |
63 | | -# path: semgrep-results.sarif |
64 | | -# |
65 | | -# - name: Upload SARIF result to the GitHub Security Dashboard |
66 | | -# if: always() && hashFiles('semgrep-results.sarif') != '' |
67 | | -# uses: github/codeql-action/upload-sarif@v3 |
68 | | -# with: |
69 | | -# sarif_file: semgrep-results.sarif |
70 | | - |
71 | 41 | gitleaks_scan: |
72 | 42 | name: Gitleaks Secret Scan |
73 | 43 | runs-on: ubuntu-latest |
@@ -118,51 +88,6 @@ jobs: |
118 | 88 | - name: Audit dependencies (high severity and above) |
119 | 89 | run: npx --yes audit-ci --package-manager yarn --severity high |
120 | 90 |
|
121 | | -# codeql_sast: |
122 | | -# name: CodeQL SAST |
123 | | -# runs-on: ubuntu-latest |
124 | | -# steps: |
125 | | -# - name: Checkout repository |
126 | | -# uses: actions/checkout@v4 |
127 | | -# |
128 | | -# - name: Initialize CodeQL |
129 | | -# uses: github/codeql-action/init@v3 |
130 | | -# with: |
131 | | -# languages: javascript-typescript |
132 | | -# queries: security-extended,security-and-quality |
133 | | -# |
134 | | -# - name: Autobuild |
135 | | -# uses: github/codeql-action/autobuild@v3 |
136 | | -# |
137 | | -# - name: Perform CodeQL Analysis (generate SARIF) |
138 | | -# uses: github/codeql-action/analyze@v3 |
139 | | -# with: |
140 | | -# output: codeql-results |
141 | | -# upload: true |
142 | | -# wait-for-processing: true |
143 | | -# |
144 | | -# - name: Upload CodeQL SARIF as artifact |
145 | | -# if: always() |
146 | | -# uses: actions/upload-artifact@v4 |
147 | | -# with: |
148 | | -# name: codeql-scan-results |
149 | | -# path: codeql-results/*.sarif |
150 | | -# |
151 | | -# - name: Fail if CodeQL alerts found |
152 | | -# run: | |
153 | | -# set -euo pipefail |
154 | | -# files=(codeql-results/*.sarif) |
155 | | -# if [ ${#files[@]} -eq 0 ]; then |
156 | | -# echo "No SARIF files found in codeql-results; skipping fail check." |
157 | | -# exit 0 |
158 | | -# fi |
159 | | -# total=$(jq '[.runs[].results | length] | add // 0' ${files[@]}) |
160 | | -# echo "CodeQL alerts: $total" |
161 | | -# if [ "$total" -gt 0 ]; then |
162 | | -# echo "Failing due to CodeQL alerts." |
163 | | -# exit 1 |
164 | | -# fi |
165 | | - |
166 | 91 | clamav_malware_scan: |
167 | 92 | name: ClamAV Malware Scan |
168 | 93 | runs-on: ubuntu-latest |
|
0 commit comments