Skip to content

perf(monorepo): ⚑️ optimize nx local task caching across workspace #426

perf(monorepo): ⚑️ optimize nx local task caching across workspace

perf(monorepo): ⚑️ optimize nx local task caching across workspace #426

name: πŸ•΅οΈ Audit Security
on:
push:
branches:
- main
pull_request:
schedule:
- cron: 0 6 * * 1 # Weekly Monday 6am UTC
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
audit-security:
name: πŸ•΅οΈ Audit Security
runs-on: ubuntu-latest
steps:
- name: πŸ“₯ Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: πŸ•‹ Setup monorepo
uses: ./.github/actions/setup-monorepo
- name: 🚰 Gitleaks Check
run: pnpm exec nx run monorepo:gitleaks --configuration=ci
- name: πŸ₯· Bandit Security Scan
run: pnpm exec nx affected --target=bandit --base=$NX_BASE --head=$NX_HEAD --parallel=3
- name: πŸ“š Dependency Audit
run: pnpm exec nx affected --target=scan-dependencies --parallel=3
- name: πŸ” Check Changes
if: github.event_name != 'schedule'
id: paths
# paths-filter has no diff context on schedule events, so Trivy steps
# fall back to the `github.event_name == 'schedule'` condition instead
uses: dorny/paths-filter@v3
with:
filters: |
terraform:
- infrastructure/terraform/**
- name: πŸ— Trivy Infrastructure Scan
if: |
github.event_name == 'schedule' ||
steps.paths.outputs.terraform == 'true'
uses: aquasecurity/trivy-action@v0.36.0
with:
scan-type: config
scan-ref: infrastructure/terraform
format: table
severity: CRITICAL,HIGH
exit-code: 1
trivyignores: configuration/trivyignore