fix(ci): run scanners before pnpm install to avoid node_modules false positives
First successful gitleaks run flagged 381 "leaks" — all of them inside `node_modules/` and `.pnpm-store/`, populated by the `pnpm install --frozen-lockfile` step that runs earlier in the job. Upstream packages routinely embed demo RSA keys / fake API tokens in their READMEs and test fixtures, and gitleaks (correctly, by its rules) flags them all. This is the same class of false-positive Trivy hit before us in #49. Move both scanners (Trivy + gitleaks) to BEFORE `pnpm install`: - Trivy scans `pnpm-lock.yaml` for vulns; the lockfile is committed, no install required. - Gitleaks scans the working tree (`--no-git --source .` in ci.yml; deep history in security-scheduled.yml). Without `pnpm install`, the only files present are our own source code, which is what we actually want to scan. - `pnpm audit` reads `pnpm-lock.yaml` against the advisory DB — also doesn't need node_modules. The install before audit remains for the workspace-integrity sanity check. Net result: clean scans, no allowlist file to maintain, scanners run faster (smaller tree to walk). The ordering rationale is documented inline at the top of each job's `steps:` block so a future contributor doesn't innocently shuffle the steps and re-introduce the false-positive flood. Apply the same reordering to `security-scheduled.yml` for consistency, even though its deep-history gitleaks scan does not suffer the same false positives (history does not contain node_modules; gitignored from day one).
This commit is contained in:
+15
-2
@@ -55,14 +55,22 @@ jobs:
|
|||||||
|
|
||||||
scan:
|
scan:
|
||||||
runs-on: [self-hosted, on-prem]
|
runs-on: [self-hosted, on-prem]
|
||||||
|
# Step ordering matters here: Trivy and gitleaks BOTH run before
|
||||||
|
# `pnpm install`. Reason: gitleaks scans the working tree
|
||||||
|
# (`--no-git --source .`), and after install, `node_modules/`
|
||||||
|
# and `.pnpm-store/` are full of upstream packages whose READMEs
|
||||||
|
# and test fixtures contain demo RSA keys / fake API tokens —
|
||||||
|
# gitleaks then false-positives on them by the hundreds (caught
|
||||||
|
# the hard way: 381 hits on the first run). Trivy reads
|
||||||
|
# `pnpm-lock.yaml` for its vuln scan, not `node_modules`, so it
|
||||||
|
# also doesn't need install. `pnpm ci:audit` does the same — it
|
||||||
|
# queries the advisory DB against the lockfile.
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v6
|
||||||
- uses: pnpm/action-setup@v6
|
- uses: pnpm/action-setup@v6
|
||||||
- uses: actions/setup-node@v6
|
- uses: actions/setup-node@v6
|
||||||
with:
|
with:
|
||||||
node-version-file: '.nvmrc'
|
node-version-file: '.nvmrc'
|
||||||
- run: pnpm install --frozen-lockfile
|
|
||||||
- run: pnpm ci:audit
|
|
||||||
# Dependency vulnerability scan. Trivy is a Go binary, not an npm
|
# Dependency vulnerability scan. Trivy is a Go binary, not an npm
|
||||||
# package, so it cannot live in package.json scripts as cleanly
|
# package, so it cannot live in package.json scripts as cleanly
|
||||||
# as audit/lint do.
|
# as audit/lint do.
|
||||||
@@ -150,6 +158,11 @@ jobs:
|
|||||||
--source . \
|
--source . \
|
||||||
--redact \
|
--redact \
|
||||||
--exit-code 1
|
--exit-code 1
|
||||||
|
# npm-advisory check (against pnpm-lock.yaml). Run last so
|
||||||
|
# `pnpm install` does not pollute the working tree before the
|
||||||
|
# scanners above.
|
||||||
|
- run: pnpm install --frozen-lockfile
|
||||||
|
- run: pnpm ci:audit
|
||||||
|
|
||||||
commits:
|
commits:
|
||||||
# PRs opened by Renovate (apf-portal-bot) carry commit messages
|
# PRs opened by Renovate (apf-portal-bot) carry commit messages
|
||||||
|
|||||||
@@ -14,6 +14,13 @@ on:
|
|||||||
jobs:
|
jobs:
|
||||||
full-tree-scan:
|
full-tree-scan:
|
||||||
runs-on: [self-hosted, on-prem]
|
runs-on: [self-hosted, on-prem]
|
||||||
|
# Step ordering mirrors ci.yml: scanners run before `pnpm install`
|
||||||
|
# so the working tree is not polluted with node_modules content
|
||||||
|
# (READMEs / fixtures of upstream packages contain demo
|
||||||
|
# secrets that gitleaks false-positives on by the hundreds).
|
||||||
|
# The deep-history gitleaks scan here doesn't strictly need it
|
||||||
|
# (history doesn't contain node_modules), but consistency with
|
||||||
|
# ci.yml keeps the two workflows reading the same way.
|
||||||
steps:
|
steps:
|
||||||
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
|
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
|
||||||
# shallow + working-tree-only; this scheduled job is where we
|
# shallow + working-tree-only; this scheduled job is where we
|
||||||
@@ -26,8 +33,6 @@ jobs:
|
|||||||
- uses: actions/setup-node@v6
|
- uses: actions/setup-node@v6
|
||||||
with:
|
with:
|
||||||
node-version-file: '.nvmrc'
|
node-version-file: '.nvmrc'
|
||||||
- run: pnpm install --frozen-lockfile
|
|
||||||
- run: pnpm audit
|
|
||||||
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
||||||
# gate filters by severity for speed; this run wants the full
|
# gate filters by severity for speed; this run wants the full
|
||||||
# surface for the security feed). Manual install + curl, same
|
# surface for the security feed). Manual install + curl, same
|
||||||
@@ -69,6 +74,11 @@ jobs:
|
|||||||
--source . \
|
--source . \
|
||||||
--redact \
|
--redact \
|
||||||
--exit-code 1
|
--exit-code 1
|
||||||
|
# npm-advisory check (against pnpm-lock.yaml). Run last so
|
||||||
|
# `pnpm install` does not pollute the working tree before the
|
||||||
|
# scanners above.
|
||||||
|
- run: pnpm install --frozen-lockfile
|
||||||
|
- run: pnpm audit
|
||||||
|
|
||||||
lighthouse-prod:
|
lighthouse-prod:
|
||||||
# Skipped silently if the prod URL hasn't been configured yet.
|
# Skipped silently if the prod URL hasn't been configured yet.
|
||||||
|
|||||||
Reference in New Issue
Block a user