Security Scanning #23

Workflow file for this run

.github/workflows/security-scan.yml at 58c2f0c

	name: Security Scanning

	on:
	push:
	branches: [ main, develop ]
	pull_request:
	branches: [ main, develop ]
	schedule:
	# Run security scans weekly (Sunday at midnight)
	- cron: '0 0 * * 0'

	jobs:
	security-scan:
	name: Security Scanning
	runs-on: ubuntu-latest
	permissions:
	# Required for CodeQL analysis
	security-events: write
	actions: read
	contents: read

	steps:
	- name: Checkout repository
	uses: actions/checkout@v3

	# Setup pnpm first
	- name: Setup pnpm
	uses: pnpm/action-setup@v2
	with:
	version: 8

	# Setup Node.js environment
	- name: Setup Node.js
	uses: actions/setup-node@v3
	with:
	node-version: '18'
	cache: 'pnpm'

	- name: Install dependencies
	run: pnpm install --no-frozen-lockfile

	# Run pnpm audit to check for vulnerable dependencies
	- name: Run pnpm audit
	run: pnpm audit --audit-level=high
	continue-on-error: true

	# Initialize CodeQL
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: javascript, typescript

	# Autobuild attempts to build any compiled languages
	- name: Autobuild
	uses: github/codeql-action/autobuild@v3

	# Run CodeQL Analysis
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:javascript"

	# Install ESLint security plugins
	- name: Install ESLint security plugins
	run: \|
	pnpm add -D eslint-plugin-security eslint-plugin-no-unsanitized

	# Create a temporary ESLint config that includes security plugins
	- name: Create security-focused ESLint config
	run: \|
	cat > .eslintrc.security.js << 'EOL'
	module.exports = {
	extends: ['./.eslintrc.js'],
	plugins: ['security', 'no-unsanitized'],
	rules: {
	'security/detect-buffer-noassert': 'error',
	'security/detect-child-process': 'error',
	'security/detect-disable-mustache-escape': 'error',
	'security/detect-eval-with-expression': 'error',
	'security/detect-no-csrf-before-method-override': 'error',
	'security/detect-non-literal-fs-filename': 'error',
	'security/detect-non-literal-regexp': 'error',
	'security/detect-non-literal-require': 'error',
	'security/detect-object-injection': 'warn',
	'security/detect-possible-timing-attacks': 'error',
	'security/detect-pseudoRandomBytes': 'error',
	'security/detect-unsafe-regex': 'error',
	'no-unsanitized/method': 'error',
	'no-unsanitized/property': 'error'
	}
	};
	EOL

	# Run ESLint with security plugins
	- name: Run ESLint security scan
	run: npx eslint --config .eslintrc.security.js --ext .js,.jsx,.ts,.tsx . \|\| true

	# Check for hardcoded secrets
	- name: Check for hardcoded secrets
	uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Scanning #23

Workflow file

Security Scanning #23

Uh oh!

Jobs

Run details

Workflow file for this run