77 lines
2.1 KiB
YAML
77 lines
2.1 KiB
YAML
name: Security
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
schedule:
|
|
# Run weekly to catch new vulnerabilities
|
|
- cron: "0 8 * * 1"
|
|
workflow_dispatch: # Allow manual triggering
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
gitleaks:
|
|
name: Scan for Secrets
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0 # Full history for comprehensive scan
|
|
|
|
- name: Install Gitleaks
|
|
run: |
|
|
GITLEAKS_VERSION=8.24.0
|
|
GITLEAKS_SHA256=cb49b7de5ee986510fe8666ca0273a6cc15eb82571f2f14832c9e8920751f3a4
|
|
curl -sSfL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
|
echo "${GITLEAKS_SHA256} gitleaks.tar.gz" | sha256sum -c -
|
|
sudo tar xzf gitleaks.tar.gz -C /usr/local/bin gitleaks
|
|
rm gitleaks.tar.gz
|
|
|
|
- name: Run Gitleaks
|
|
run: gitleaks detect --source . --config .gitleaks.toml --verbose --redact
|
|
|
|
dependency-review:
|
|
name: Dependency Review
|
|
runs-on: ubuntu-latest
|
|
if: github.event_name == 'pull_request'
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@v4
|
|
with:
|
|
fail-on-severity: moderate
|
|
|
|
npm-audit:
|
|
name: NPM Audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Run npm audit
|
|
run: pnpm audit --audit-level=moderate
|
|
continue-on-error: true # Don't fail build on vulnerabilities in deps
|
|
|
|
- name: Run pnpm audit (strict)
|
|
run: pnpm audit --prod --audit-level=high
|