name: Security Scanning
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * 0' # Weekly on Sunday at 2 AM UTC
permissions:
contents: read
security-events: write
jobs:
dependency-check:
name: Dependency Security Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Check for vulnerable dependencies
run: npm audit --audit-level=moderate
continue-on-error: true
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
secrets:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan for secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --json --only-verified
continue-on-error: true
license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'
- name: Check licenses
run: |
npm install -g license-checker
license-checker --onlyAllow "Apache-2.0,MIT,ISC,BSD,BSD-2-Clause,BSD-3-Clause,MPL-2.0,LGPL-2.1,LGPL-3.0" || true
continue-on-error: true
content-validation:
name: Content Validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check code quality with custom validator
run: |
node verify_security.js || true
continue-on-error: true
