71 lines
1.7 KiB
YAML
71 lines
1.7 KiB
YAML
name: Security
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
schedule:
|
|
# Run weekly to catch new vulnerabilities
|
|
- cron: "0 8 * * 1"
|
|
workflow_dispatch: # Allow manual triggering
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
gitleaks:
|
|
name: Scan for Secrets
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0 # Full history for comprehensive scan
|
|
|
|
- name: Run Gitleaks
|
|
uses: gitleaks/gitleaks-action@v2
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
|
|
|
|
dependency-review:
|
|
name: Dependency Review
|
|
runs-on: ubuntu-latest
|
|
if: github.event_name == 'pull_request'
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@v4
|
|
with:
|
|
fail-on-severity: moderate
|
|
|
|
npm-audit:
|
|
name: NPM Audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Run npm audit
|
|
run: pnpm audit --audit-level=moderate
|
|
continue-on-error: true # Don't fail build on vulnerabilities in deps
|
|
|
|
- name: Run pnpm audit (strict)
|
|
run: pnpm audit --prod --audit-level=high
|