Skip to content

Security - Dependency & Code Audit #8

Security - Dependency & Code Audit

Security - Dependency & Code Audit #8

Workflow file for this run

name: Security - Dependency & Code Audit
on:
schedule:
# Run weekly on Monday at 9 AM UTC
- cron: "0 9 * * 1"
workflow_dispatch:
# Single concurrent run is fine for security checks
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
jobs:
# ============================================================================
# Security Audit
# ============================================================================
# Runs on schedule (weekly) to check for vulnerabilities.
# Failure is non-blocking (doesn't prevent merges).
# Useful for monitoring supply chain security.
# ============================================================================
security-audit:
name: npm Audit & Dependency Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20.x"
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: npm audit --audit-level=moderate
continue-on-error: true
- name: Show dependencies with funding info
run: npm fund --json 2>/dev/null | head -20 || echo "No funding info available"
- name: Audit Report Summary
if: always()
run: |
echo "=========================================="
echo "Security Audit Report"
echo "=========================================="
echo "Audit completed on: $(date)"
echo ""
echo "Dependency Summary:"
npm list --depth=0 || true
echo ""
echo "⚠️ Note: Review moderate vulnerabilities if any"
echo "For critical issues, please report to maintainers"
echo "=========================================="