deps(actions): bump github/codeql-action from 4.32.4 to 4.32.6 in the github-actions group #21
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Weekly scan on Monday at 6am UTC | |
| - cron: '0 6 * * 1' | |
| workflow_call: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| npm-audit: | |
| name: npm Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - run: npm audit --audit-level=high --omit=dev | |
| trivy: | |
| name: Trivy Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| severity: HIGH,CRITICAL | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload Trivy results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 | |
| if: always() | |
| continue-on-error: true # Requires GitHub Advanced Security | |
| with: | |
| sarif_file: trivy-results.sarif | |
| gitleaks: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| run: | | |
| curl -sSfLo gitleaks_8.21.2_linux_x64.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz | |
| curl -sSfLo checksums.txt https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_checksums.txt | |
| grep 'gitleaks_8.21.2_linux_x64.tar.gz' checksums.txt | sha256sum -c - | |
| tar -xzf gitleaks_8.21.2_linux_x64.tar.gz | |
| sudo mv gitleaks /usr/local/bin/ | |
| - name: Run gitleaks | |
| run: gitleaks detect --source . --config .gitleaks.toml --redact --verbose | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| continue-on-error: true # Requires GitHub Advanced Security | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-config.yml | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 | |
| with: | |
| category: codeql-javascript | |
| upload: never | |
| output: sarif-results | |
| - name: Upload SARIF to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 | |
| continue-on-error: true # Requires GitHub Advanced Security | |
| with: | |
| sarif_file: sarif-results | |
| category: codeql-javascript |