GitHub Actions: Security scanning with Semgrep
cgen-f9fb3056ab9f486998b15f81415846da
This commit is contained in:
Builder.io
parent
ded3b59ea0
commit
dc60ba6219
1 changed files with 45 additions and 0 deletions
45
.github/workflows/security.yml
vendored
Normal file
45
.github/workflows/security.yml
vendored
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
name: Security Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main, develop]
|
||||
pull_request:
|
||||
branches: [main, develop]
|
||||
schedule:
|
||||
- cron: '0 2 * * 0'
|
||||
|
||||
jobs:
|
||||
semgrep:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Run Semgrep
|
||||
uses: returntocorp/semgrep-action@v1
|
||||
with:
|
||||
generateSarif: true
|
||||
config: |
|
||||
p/security-audit
|
||||
p/typescript
|
||||
p/react
|
||||
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: semgrep.sarif
|
||||
if: always()
|
||||
|
||||
dependency-check:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Run npm audit
|
||||
run: npm audit --production --audit-level=moderate
|
||||
continue-on-error: true
|
||||
|
||||
- name: Check for vulnerable dependencies
|
||||
run: npm audit --production
|
||||
continue-on-error: true
|
||||
Loading…
Reference in a new issue