Skip to content
Tests (sast)

Tests (sast) #531

Sign in to view logs

Tests (sast)

Tests (sast) #531

Workflow file for this run

.github/workflows/test-sast.yml at 5d03150
name: Tests (sast)
on:
pull_request:
schedule:
- cron: "43 3 * * 5"
workflow_dispatch:
env:
NODE_VERSION: 24.x
permissions:
contents: read
jobs:
# https://github.com/aquasecurity/trivy-action
trivy-vuln:
name: "Trivy: SCA"
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Trivy
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scanners: vuln
scan-type: fs
scan-ref: package-lock.json
hide-progress: true
ignore-unfixed: true
exit-code: 1
format: github
trivy-license:
name: "Trivy: Licensing"
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: |
npm ci --ignore-scripts
- name: Trivy
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scanners: license
scan-type: fs
scan-ref: .
hide-progress: true
exit-code: 0
format: table
# https://github.com/oss-review-toolkit/ort-ci-github-action
# ort:
# name: "OSS Review Toolkit: Licensing"
# runs-on: ubuntu-latest
# if: (github.actor != 'dependabot[bot]')
# steps:
# - name: Checkout repository
# uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# - name: OSS Review Toolkit (ORT)
# uses: oss-review-toolkit/ort-ci-github-action@1805edcf1f4f55f35ae6e4d2d9795ccfb29b6021 # 1.1.0
# with:
# allow-dynamic-versions: "true"
# ort-cli-args: "-P ort.analyzer.enabledPackageManagers=NPM"
# fail-on: "violations"
lockfile:
name: "lockfile-lint: SAST package-lock.json"
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: |
npm ci --ignore-scripts --workspace .github
- name: lockfile-lint
run: |
./node_modules/.bin/lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https
# https://github.com/github/codeql-action
codeql:
name: "CodeQL: SAST"
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [javascript]
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
category: "/language:${{ matrix.language }}"
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions
semgrep:
name: "semgrep: SAST"
runs-on: ubuntu-latest
container:
# https://hub.docker.com/r/semgrep/semgrep/tags
image: semgrep/semgrep:1.111.0 # v1.111.0
if: (github.actor != 'dependabot[bot]')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: semgrep
run: semgrep ci