Skip to content

feat: add gyrpe src scan plus update deps #276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gibaros wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add gyrpe src scan plus update deps #276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 28 additions & 7 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,32 @@
# CircleCI configuration using the mojaloop/build orb
# This streamlined config uses the mojaloop/build orb for standardized CI/CD workflows
#
# The orb automatically handles:
# - PR title checking
# - Dependency installation and caching
# - Linting
# - Unit, integration, and functional testing
# - Vulnerability checking (npm audit)
# - License scanning
# - Grype security scanning (source code scanning for this library)
# - Automated releases to npm and GitHub
# - Slack notifications
#
# To enable this configuration:
# 1. Go to CircleCI project settings → Advanced
# 2. Ensure "Enable dynamic config using setup workflows" is enabled

version: 2.1
setup: true

orbs:
build: mojaloop/build@1.0.64
build: mojaloop/build@1.1.6

workflows:
setup:
jobs:
- build/workflow:
filters:
tags:
only: /v\d+(\.\d+){2}(-[a-zA-Z-][0-9a-zA-Z-]*\.\d+)?/
setup:
jobs:
- build/workflow:
context: org-global
filters:
tags:
only: /v\d+(\.\d+){2}(-[a-zA-Z-][0-9a-zA-Z-]*\.\d+)?/
46 changes: 36 additions & 10 deletions .grype.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,40 @@
disabled: true
# Grype vulnerability scanning configuration for sdk-standard-components
# This is a library project without Docker images, so we use source scanning
scan-type: source

# Enable vulnerability scanning
disabled: false

# Vulnerability ignore rules
# Add specific CVEs here if they are false positives or acceptable risks
ignore:
# Example format for ignoring specific vulnerabilities:
# - vulnerability: "CVE-2023-xxxxx"
# reason: "False positive in dev dependency that doesn't affect production"
# - vulnerability: "GHSA-xxxx-xxxx-xxxx"
# package:
# name: "package-name"
# version: "1.0.0"
# reason: "Not exploitable in our usage context"

# Set output format defaults
# Output formats for scan results
output:
- "table"
- "json"

# Modify your CircleCI job to check critical count
search:
scope: "squashed"
quiet: false
check-for-app-update: false
- "table" # Human-readable table format
- "json" # Machine-readable JSON for further processing

# Grype configuration options
quiet: false # Show progress and status messages
check-for-app-update: false # Don't check for Grype updates during CI
only-fixed: false # Show all vulnerabilities, not just those with fixes
add-cpes-if-none: false # Don't add CPEs if none are found
by-cve: false # Group by vulnerability rather than CVE

# Database settings
db:
auto-update: true # Auto-update the vulnerability database
validate-age: true # Validate the age of the vulnerability database
max-allowed-built-age: 120h # Maximum age of the vulnerability database (5 days)

# Severity thresholds (handled by the orb, but documented here for clarity)
# The build will fail on Critical, High, or Medium severity vulnerabilities
# Low and Negligible severities are reported but won't fail the build
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@

This package contains a set of components that encode standard practices for enabling the following features of a DFSP to Mojaloop switch interface:

## CI/CD

This repository uses the [mojaloop/build](https://github.com/mojaloop/ci-config-orb-build) CircleCI orb for standardized CI/CD workflows, including automated Grype vulnerability scanning for source code security.

## Usage

```
Expand Down
121 changes: 78 additions & 43 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@
}
],
"dependencies": {
"@mojaloop/central-services-logger": "11.9.3",
"@mojaloop/ml-number": "^11.3.0",
"@mojaloop/central-services-logger": "11.10.1",
"@mojaloop/ml-number": "^11.4.0",
"@mojaloop/ml-schema-transformer-lib": "2.7.8",
"axios": "1.12.2",
"axios-retry": "4.5.0",
Expand Down Expand Up @@ -72,9 +72,9 @@
"yargs-parser": "21.1.1"
},
"devDependencies": {
"@mojaloop/api-snippets": "18.1.1",
"@mojaloop/api-snippets": "18.2.0",
"@types/jest": "30.0.0",
"@types/node": "24.5.0",
"@types/node": "24.5.2",
"audit-ci": "7.1.0",
"axios-mock-adapter": "2.1.0",
"eslint": "8.57.0",
Expand All @@ -83,7 +83,7 @@
"jest": "30.1.3",
"jest-junit": "16.0.0",
"nock": "14.0.10",
"npm-check-updates": "18.1.1",
"npm-check-updates": "18.3.0",
"pre-commit": "1.2.2",
"replace": "1.2.2",
"standard-version": "9.5.0",
Expand Down