Security Scanning #180
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run security scan weekly on Monday at 9am UTC | |
| - cron: "0 9 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| npm-audit: | |
| name: NPM Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: 20 | |
| cache: "npm" | |
| - name: Run npm audit | |
| run: | | |
| npm audit --production --audit-level=moderate || true | |
| osv-scanner: | |
| name: OSV Scanner | |
| uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9bb69575e74019c2ad085a1860787043adf47ccb # v2.2.4 | |
| permissions: | |
| actions: read | |
| security-events: write | |
| contents: read | |
| with: | |
| scan-args: |- | |
| -r | |
| ./ | |
| codeql-javascript: | |
| name: CodeQL JavaScript/TypeScript Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-and-quality | |
| config: | | |
| paths-ignore: | |
| - '**/src/upstream/**' | |
| - '**/node_modules/**' | |
| - '**/build/**' | |
| - '**/prebuilds/**' | |
| - '**/dist/**' | |
| - '**/coverage/**' | |
| - '**/vendored/**' | |
| - '**/third-party/**' | |
| - '**/test/**' | |
| - '**/test-directory/**' | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 | |
| codeql-cpp: | |
| name: CodeQL C++ Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| submodules: recursive | |
| - name: Setup build environment | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y python3 make g++ gcc | |
| - name: Setup Node.js | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: 20 | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 | |
| with: | |
| languages: cpp | |
| queries: security-and-quality | |
| - name: Build C++ code | |
| run: npm run node-gyp-rebuild | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 | |
| with: | |
| upload: false | |
| output: sarif-results | |
| - name: Filter upstream code from SARIF | |
| uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1 | |
| with: | |
| patterns: | | |
| -**/src/upstream/** | |
| -**/node_modules/** | |
| input: sarif-results/cpp.sarif | |
| output: sarif-results/cpp.sarif | |
| - name: Upload filtered SARIF | |
| uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 | |
| with: | |
| sarif_file: sarif-results/cpp.sarif | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1 | |
| with: | |
| fail-on-severity: moderate | |
| deny-licenses: AGPL-3.0, GPL-3.0 | |
| secrets-scan: | |
| name: Secrets Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@f15cb8b37b9b70056bc82a8eb7151f75fad27a71 # v3.90.13 | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --exclude-paths .trufflehog-exclude.txt --only-verified | |
| continue-on-error: true | |
| summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [npm-audit, osv-scanner, codeql-javascript, codeql-cpp, secrets-scan] | |
| if: always() | |
| steps: | |
| - name: Summary | |
| run: | | |
| echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| NPM Audit | ${{ needs.npm-audit.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| OSV Scanner | ${{ needs.osv-scanner.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| CodeQL JS/TS | ${{ needs.codeql-javascript.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| CodeQL C++ | ${{ needs.codeql-cpp.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Secrets Scan | ${{ needs.secrets-scan.result }} |" >> $GITHUB_STEP_SUMMARY |