name: Vulnerability Management
on:
schedule:
# Check for new vulnerabilities weekly
- cron: '0 9 * * 1'
workflow_dispatch:
jobs:
vulnerability-scan:
name: Comprehensive Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run comprehensive security audit
run: |
echo "## Security Audit Report" > security-report.md
echo "Generated on: $(date)" >> security-report.md
echo "" >> security-report.md
echo "### NPM Audit Results" >> security-report.md
npm audit --json > npm-audit.json || true
echo "### High/Critical Vulnerabilities" >> security-report.md
jq -r '.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | "- \(.key): \(.value.title) (\(.value.severity))"' npm-audit.json >> security-report.md || echo "No high/critical vulnerabilities found" >> security-report.md
echo "### Dependencies with Known Issues" >> security-report.md
npm ls --depth=0 >> dependencies.txt
cat dependencies.txt >> security-report.md
- name: Create issue for vulnerabilities
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('security-report.md', 'utf8');
// Check if there are any high/critical vulnerabilities
if (report.includes('high') || report.includes('critical')) {
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `🚨 Security Vulnerabilities Detected - ${new Date().toISOString().split('T')[0]}`,
body: `${report}\n\n**Action Required**: Please review and address these security vulnerabilities.\n\n**Auto-generated by**: Vulnerability Management Workflow`,
labels: ['security', 'vulnerability', 'priority-high']
});
}
- name: Upload security report
uses: actions/upload-artifact@v4
with:
name: security-report
path: security-report.md
dependency-update-pr:
name: Security Dependency Updates
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
- name: Update vulnerable dependencies
run: |
# Audit and fix automatically fixable issues
npm audit fix --force || true
# Update to latest patch versions
npm update
# Check if package.json or package-lock.json changed
if git diff --quiet package.json package-lock.json; then
echo "No security updates needed"
echo "UPDATES_NEEDED=false" >> $GITHUB_ENV
else
echo "Security updates available"
echo "UPDATES_NEEDED=true" >> $GITHUB_ENV
fi
- name: Test after security updates
if: env.UPDATES_NEEDED == 'true'
run: |
npm run build
# Add any additional tests here
- name: Create Pull Request for security updates
if: env.UPDATES_NEEDED == 'true'
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: 'security: update vulnerable dependencies'
title: '🔒 Security: Update vulnerable dependencies'
body: |
## Security Dependency Updates
This PR contains automatic security updates for vulnerable dependencies.
### Changes Made
- Updated vulnerable npm packages
- Applied automatic security fixes
- Verified build still works
### Security Impact
- Addresses known security vulnerabilities
- Maintains compatibility with existing code
- No breaking changes expected
### Testing
- [x] Build passes
- [x] No TypeScript errors
- [ ] Manual testing recommended
**Please review and test before merging.**
---
*Auto-generated by security workflow*
branch: security/dependency-updates
delete-branch: true
labels: |
security
dependencies
automated
