Skip to content
Security

chore(docs-deps): bump @docusaurus/preset-classic from 3.5.2 to 3.9.2 in /docs #323

Sign in to view logs

chore(docs-deps): bump @docusaurus/preset-classic from 3.5.2 to 3.9.2 in /docs

chore(docs-deps): bump @docusaurus/preset-classic from 3.5.2 to 3.9.2 in /docs #323

Workflow file for this run

.github/workflows/security.yml at b28f7a0
name: Security
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
permissions:
actions: read
contents: read
security-events: write
jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['javascript']
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
- name: Enable Corepack
run: corepack enable
- name: Setup Yarn version
run: corepack prepare [email protected] --activate
- name: Install dependencies
run: yarn install --immutable
- name: Build project
run: yarn build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
allow-licenses: MIT, ISC, Apache-2.0, BSD-3-Clause, BSD-2-Clause
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
- name: Enable Corepack
run: corepack enable
- name: Setup Yarn version
run: corepack prepare [email protected] --activate
- name: Install dependencies
run: yarn install --immutable
- name: Run security audit (Production dependencies)
run: |
echo "Running security audit for production dependencies..."
yarn npm audit --all --environment production --json > audit-prod.json || true
- name: Run security audit (All dependencies)
run: |
echo "Running security audit for all dependencies..."
yarn npm audit --all --json > audit-all.json || true
- name: Run security audit (All workspaces - comprehensive)
run: |
echo "Running comprehensive security audit..."
yarn npm audit --all --severity moderate --json > audit-comprehensive.json || true
- name: Process audit results
run: |
echo "=== Production Dependencies Audit ==="
if [ -f "audit-prod.json" ]; then
PROD_CRITICAL=$(cat audit-prod.json | jq -r '.metadata.vulnerabilities.critical // 0')
PROD_HIGH=$(cat audit-prod.json | jq -r '.metadata.vulnerabilities.high // 0')
PROD_MODERATE=$(cat audit-prod.json | jq -r '.metadata.vulnerabilities.moderate // 0')
echo "Critical: $PROD_CRITICAL, High: $PROD_HIGH, Moderate: $PROD_MODERATE"
fi
echo "=== All Dependencies Audit ==="
if [ -f "audit-all.json" ]; then
ALL_CRITICAL=$(cat audit-all.json | jq -r '.metadata.vulnerabilities.critical // 0')
ALL_HIGH=$(cat audit-all.json | jq -r '.metadata.vulnerabilities.high // 0')
ALL_MODERATE=$(cat audit-all.json | jq -r '.metadata.vulnerabilities.moderate // 0')
echo "Critical: $ALL_CRITICAL, High: $ALL_HIGH, Moderate: $ALL_MODERATE"
fi
echo "=== Comprehensive Security Audit ==="
if [ -f "audit-comprehensive.json" ]; then
COMPREHENSIVE_CRITICAL=$(cat audit-comprehensive.json | jq -r '.metadata.vulnerabilities.critical // 0')
COMPREHENSIVE_HIGH=$(cat audit-comprehensive.json | jq -r '.metadata.vulnerabilities.high // 0')
COMPREHENSIVE_MODERATE=$(cat audit-comprehensive.json | jq -r '.metadata.vulnerabilities.moderate // 0')
echo "Critical: $COMPREHENSIVE_CRITICAL, High: $COMPREHENSIVE_HIGH, Moderate: $COMPREHENSIVE_MODERATE"
fi
- name: Check for critical vulnerabilities
run: |
# Fail if any critical vulnerabilities found in production dependencies
if [ -f "audit-prod.json" ]; then
CRITICAL_COUNT=$(cat audit-prod.json | jq -r '.metadata.vulnerabilities.critical // 0')
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Found $CRITICAL_COUNT critical vulnerabilities in production dependencies!"
echo "Production audit details:"
cat audit-prod.json | jq -r '.advisories // {}'
exit 1
else
echo "✅ No critical vulnerabilities found in production dependencies"
fi
fi
- name: Upload audit results
uses: actions/upload-artifact@v4
if: always()
with:
name: security-audit-results
path: |
audit-*.json
retention-days: 30
license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
- name: Enable Corepack
run: corepack enable
- name: Setup Yarn version
run: corepack prepare [email protected] --activate
- name: Install dependencies
run: yarn install --immutable
- name: Check licenses
run: |
echo "Checking license compliance..."
yarn dlx license-checker --summary --onlyAllow "MIT;ISC;Apache-2.0;BSD-3-Clause;BSD-2-Clause;CC0-1.0;Unlicense" || true
secrets-scan:
name: Secrets Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'