chore(deps-dev): bump the development group across 1 directory with 6 updates #219
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run security scan weekly on Monday at 9am UTC | |
| - cron: "0 9 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| npm-audit: | |
| name: NPM Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: 20 | |
| cache: "npm" | |
| - name: Run npm audit | |
| run: | | |
| npm audit --production --audit-level=moderate || true | |
| osv-scanner: | |
| name: OSV Scanner | |
| uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0 | |
| permissions: | |
| actions: read | |
| security-events: write | |
| contents: read | |
| with: | |
| scan-args: |- | |
| -r | |
| ./ | |
| codeql-javascript: | |
| name: CodeQL JavaScript/TypeScript Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-and-quality | |
| config: | | |
| paths-ignore: | |
| - '**/src/upstream/**' | |
| - '**/node_modules/**' | |
| - '**/build/**' | |
| - '**/prebuilds/**' | |
| - '**/dist/**' | |
| - '**/coverage/**' | |
| - '**/vendored/**' | |
| - '**/third-party/**' | |
| - '**/test/**' | |
| - '**/test-directory/**' | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 | |
| codeql-cpp: | |
| name: CodeQL C++ Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| submodules: recursive | |
| - name: Setup build environment | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y python3 make g++ gcc | |
| - name: Setup Node.js | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: 20 | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 | |
| with: | |
| languages: cpp | |
| queries: security-and-quality | |
| - name: Build C++ code | |
| run: npm run node-gyp-rebuild | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 | |
| with: | |
| upload: false | |
| output: sarif-results | |
| # Filter false positives and upstream code from results | |
| # - cpp/slicing: All instances are N-API wrapper classes (Napi::Buffer, | |
| # Napi::BigInt, etc.) assigned to Napi::Value. This is intentional and | |
| # safe - these are thin wrappers around napi_value handles, and slicing | |
| # only loses cached C++ state, not the underlying JS value reference. | |
| # See: https://github.com/nodejs/node-addon-api/blob/main/doc/value.md | |
| - name: Filter upstream code from SARIF | |
| uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1 | |
| with: | |
| patterns: | | |
| -**/src/upstream/** | |
| -**/node_modules/** | |
| -**:cpp/slicing | |
| input: sarif-results/cpp.sarif | |
| output: sarif-results/cpp.sarif | |
| - name: Upload filtered SARIF | |
| uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 | |
| with: | |
| sarif_file: sarif-results/cpp.sarif | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 | |
| with: | |
| fail-on-severity: moderate | |
| deny-licenses: AGPL-3.0, GPL-3.0 | |
| secrets-scan: | |
| name: Secrets Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@aade3bff5594fe8808578dd4db3dfeae9bf2abdc # v3.91.1 | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --exclude-paths .trufflehog-exclude.txt --only-verified | |
| continue-on-error: true | |
| summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [npm-audit, osv-scanner, codeql-javascript, codeql-cpp, secrets-scan] | |
| if: always() | |
| steps: | |
| - name: Summary | |
| run: | | |
| echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| NPM Audit | ${{ needs.npm-audit.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| OSV Scanner | ${{ needs.osv-scanner.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| CodeQL JS/TS | ${{ needs.codeql-javascript.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| CodeQL C++ | ${{ needs.codeql-cpp.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Secrets Scan | ${{ needs.secrets-scan.result }} |" >> $GITHUB_STEP_SUMMARY |