-
Notifications
You must be signed in to change notification settings - Fork 21
101 lines (85 loc) · 2.63 KB
/
Copy pathsecurity.yml
File metadata and controls
101 lines (85 loc) · 2.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Security Audit
on:
schedule:
# Run weekly on Mondays at 9:00 AM UTC
- cron: '0 9 * * 1'
push:
branches: [main]
paths:
- 'package.json'
- 'package-lock.json'
pull_request:
paths:
- 'package.json'
- 'package-lock.json'
workflow_dispatch: # Allow manual trigger
jobs:
audit:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run npm audit (all dependencies)
run: |
echo "=== Running npm audit on all dependencies ==="
npm audit --audit-level=moderate | tee audit-all.txt
continue-on-error: true
- name: Run npm audit (production only - strict)
run: |
echo "=== Running npm audit on production dependencies ==="
npm audit --production --audit-level=high
- name: Check for outdated dependencies
run: |
echo "=== Checking for outdated dependencies ==="
npm outdated > outdated.txt || true
cat outdated.txt
- name: Upload audit reports
if: always()
uses: actions/upload-artifact@v4
with:
name: security-audit-reports
path: |
audit-all.txt
outdated.txt
if-no-files-found: ignore
retention-days: 30
security-updates:
runs-on: ubuntu-latest
if: github.event_name == 'schedule'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Check for available updates
run: |
echo "=== Checking for available updates ==="
npx npm-check-updates
echo ""
echo "=== Checking which updates pass tests ==="
npx npm-check-updates --doctor --doctorTest "npm test" || true
- name: Generate update report
run: |
echo "=== Security Update Report ===" > security-updates.txt
echo "Generated on: $(date)" >> security-updates.txt
echo "" >> security-updates.txt
npx npm-check-updates >> security-updates.txt || true
- name: Upload update report
uses: actions/upload-artifact@v4
with:
name: security-updates-report
path: security-updates.txt
if-no-files-found: ignore
retention-days: 30