Skip to content
Security

Bump erb from 6.0.2 to 6.0.4 in /ruby #159

Sign in to view logs

Bump erb from 6.0.2 to 6.0.4 in /ruby

Bump erb from 6.0.2 to 6.0.4 in /ruby #159

Workflow file for this run

.github/workflows/security.yml at 03eec31
name: Security
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 6 * * 1'
workflow_dispatch:
jobs:
govulncheck:
name: Go Vulnerability Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: '1.26'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
- name: Run govulncheck
run: cd go && govulncheck ./...
npm-audit:
name: npm Audit
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: '22'
- name: Install
run: cd typescript && npm ci
- name: Audit
run: cd typescript && npm audit --audit-level=high
bundler-audit:
name: Bundler Audit
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ruby/setup-ruby@6ca151fd1bfcfd6fe0c4eb6837eb0584d0134a0c # v1.290.0
with:
ruby-version: '4.0'
bundler-cache: true
working-directory: ruby
- name: Install bundler-audit
run: gem install bundler-audit -v 0.9.3
- name: Audit
run: cd ruby && bundle-audit check --update
trivy-go:
name: Trivy (Go)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: fs
scan-ref: ./go
severity: HIGH,CRITICAL
exit-code: 1
ignore-unfixed: true
format: sarif
output: trivy-go.sarif
- uses: github/codeql-action/upload-sarif@603b797f8b14b413fe025cd935a91c16c4782713 # v3.33.0
if: always()
with:
sarif_file: trivy-go.sarif
category: trivy-go
trivy-typescript:
name: Trivy (TypeScript)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: fs
scan-ref: ./typescript
severity: HIGH,CRITICAL
exit-code: 1
ignore-unfixed: true
format: sarif
output: trivy-typescript.sarif
- uses: github/codeql-action/upload-sarif@603b797f8b14b413fe025cd935a91c16c4782713 # v3.33.0
if: always()
with:
sarif_file: trivy-typescript.sarif
category: trivy-typescript
trivy-ruby:
name: Trivy (Ruby)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: fs
scan-ref: ./ruby
severity: HIGH,CRITICAL
exit-code: 1
ignore-unfixed: true
format: sarif
output: trivy-ruby.sarif
- uses: github/codeql-action/upload-sarif@603b797f8b14b413fe025cd935a91c16c4782713 # v3.33.0
if: always()
with:
sarif_file: trivy-ruby.sarif
category: trivy-ruby
gosec:
name: Go Security Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7
with:
args: -severity high -exclude-dir=pkg/generated ./go/...