doc-ops-mcp

name: Security Scan on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] schedule: - cron: '0 2 * * 1' # Run every Monday at 2 AM UTC jobs: security-scan: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20.x' cache: 'npm' - name: Install dependencies run: npm ci - name: Run npm audit run: npm audit --audit-level moderate - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' - name: OSSF Scorecard uses: ossf/scorecard-action@v2 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload Scorecard results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif dependency-update: runs-on: ubuntu-latest if: github.event_name == 'schedule' steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20.x' cache: 'npm' - name: Update dependencies run: | npm update npm audit fix --force || true - name: Create Pull Request uses: peter-evans/create-pull-request@v5 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: 'chore: update dependencies and fix security issues' title: 'Security: Update dependencies and fix vulnerabilities' body: | This PR updates dependencies to fix security vulnerabilities. Changes: - Updated npm dependencies - Fixed security vulnerabilities found by npm audit Please review and merge if tests pass. branch: security-updates delete-branch: true