Compare commits
6 Commits
e217ca5ea9
...
29e9d0f468
| Author | SHA1 | Date | |
|---|---|---|---|
| 29e9d0f468 | |||
| 0d21129bad | |||
| a0e8e095d0 | |||
| 0d27f835c3 | |||
| 2cc795a9fd | |||
| 6fc26db1b5 |
+56
-5
@@ -55,14 +55,22 @@ jobs:
|
||||
|
||||
scan:
|
||||
runs-on: [self-hosted, on-prem]
|
||||
# Step ordering matters here: Trivy and gitleaks BOTH run before
|
||||
# `pnpm install`. Reason: gitleaks scans the working tree
|
||||
# (`--no-git --source .`), and after install, `node_modules/`
|
||||
# and `.pnpm-store/` are full of upstream packages whose READMEs
|
||||
# and test fixtures contain demo RSA keys / fake API tokens —
|
||||
# gitleaks then false-positives on them by the hundreds (caught
|
||||
# the hard way: 381 hits on the first run). Trivy reads
|
||||
# `pnpm-lock.yaml` for its vuln scan, not `node_modules`, so it
|
||||
# also doesn't need install. `pnpm ci:audit` does the same — it
|
||||
# queries the advisory DB against the lockfile.
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: pnpm/action-setup@v6
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm ci:audit
|
||||
# Dependency vulnerability scan. Trivy is a Go binary, not an npm
|
||||
# package, so it cannot live in package.json scripts as cleanly
|
||||
# as audit/lint do.
|
||||
@@ -101,17 +109,60 @@ jobs:
|
||||
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
|
||||
trivy --version
|
||||
- name: Run Trivy
|
||||
# `--scanners vuln`: limit Trivy to vulnerability scanning. Its
|
||||
# secret scanner false-positives on demo RSA keys embedded in
|
||||
# the README/fixtures of cryptographic npm packages (which
|
||||
# land under .pnpm-store/), and we already have gitleaks below
|
||||
# as the dedicated secret-scan gate. Trivy's intent in this
|
||||
# job, per ADR-0015, was always "dependency vulnerability
|
||||
# scan" — restoring that scope.
|
||||
run: |
|
||||
trivy fs \
|
||||
--scanners vuln \
|
||||
--ignore-unfixed \
|
||||
--skip-dirs node_modules \
|
||||
--exit-code 1 \
|
||||
--severity CRITICAL,HIGH \
|
||||
.
|
||||
# Secret scan, same reasoning (gitleaks is a Go binary).
|
||||
- uses: gitleaks/gitleaks-action@v2
|
||||
# Secret scan. Same install pattern as Trivy: gitleaks is a Go
|
||||
# binary, and the official `gitleaks/gitleaks-action@v2` wrapper
|
||||
# is now paywalled for organisations (a GITLEAKS_LICENSE secret
|
||||
# from gitleaks.io is required, otherwise the action errors out
|
||||
# with `🛑 missing gitleaks license`). The binary itself stays
|
||||
# MIT-licensed and free — installing it directly bypasses the
|
||||
# wrapper and gives us version pinning for free.
|
||||
- name: Install gitleaks
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
# Bump deliberately. Same caveat as TRIVY_VERSION above —
|
||||
# not Renovate-tracked out of the box. Releases:
|
||||
# https://github.com/gitleaks/gitleaks/releases.
|
||||
GITLEAKS_VERSION: '8.21.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
curl -sfL \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
-o /tmp/gitleaks.tar.gz \
|
||||
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
||||
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
|
||||
gitleaks version
|
||||
- name: Run gitleaks
|
||||
# `--no-git --source .` scans the working tree only. The scan
|
||||
# job uses a shallow checkout, so a git-history scan would not
|
||||
# see beyond HEAD anyway; the weekly security-scheduled
|
||||
# workflow does the deep history scan with a full clone.
|
||||
# `--redact` masks any matched secret in the log output so we
|
||||
# do not leak it via the CI logs themselves.
|
||||
run: |
|
||||
gitleaks detect \
|
||||
--no-git \
|
||||
--source . \
|
||||
--redact \
|
||||
--exit-code 1
|
||||
# npm-advisory check (against pnpm-lock.yaml). Run last so
|
||||
# `pnpm install` does not pollute the working tree before the
|
||||
# scanners above.
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm ci:audit
|
||||
|
||||
commits:
|
||||
# PRs opened by Renovate (apf-portal-bot) carry commit messages
|
||||
|
||||
@@ -14,25 +14,71 @@ on:
|
||||
jobs:
|
||||
full-tree-scan:
|
||||
runs-on: [self-hosted, on-prem]
|
||||
# Step ordering mirrors ci.yml: scanners run before `pnpm install`
|
||||
# so the working tree is not polluted with node_modules content
|
||||
# (READMEs / fixtures of upstream packages contain demo
|
||||
# secrets that gitleaks false-positives on by the hundreds).
|
||||
# The deep-history gitleaks scan here doesn't strictly need it
|
||||
# (history doesn't contain node_modules), but consistency with
|
||||
# ci.yml keeps the two workflows reading the same way.
|
||||
steps:
|
||||
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
|
||||
# shallow + working-tree-only; this scheduled job is where we
|
||||
# do the deep history scan that catches secrets ever committed
|
||||
# (and not just what's currently checked in).
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: pnpm/action-setup@v6
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm audit
|
||||
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
||||
# gate filters by severity for speed; this run wants the full
|
||||
# surface for the security feed).
|
||||
- uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: fs
|
||||
ignore-unfixed: true
|
||||
- uses: gitleaks/gitleaks-action@v2
|
||||
# surface for the security feed). Manual install + curl, same
|
||||
# pattern as ci.yml — see the rationale there.
|
||||
- name: Install Trivy
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
TRIVY_VERSION: '0.70.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
curl -sfL \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
-o /tmp/trivy.tar.gz \
|
||||
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
|
||||
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
|
||||
trivy --version
|
||||
- name: Run Trivy
|
||||
run: |
|
||||
trivy fs \
|
||||
--scanners vuln \
|
||||
--ignore-unfixed \
|
||||
.
|
||||
# Deep gitleaks scan (full git history). Same install pattern as
|
||||
# ci.yml. `--redact` masks any matched secret in the log so we
|
||||
# don't leak it via CI logs themselves.
|
||||
- name: Install gitleaks
|
||||
env:
|
||||
GITLEAKS_VERSION: '8.21.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
curl -sfL \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
-o /tmp/gitleaks.tar.gz \
|
||||
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
||||
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
|
||||
gitleaks version
|
||||
- name: Run gitleaks (full history)
|
||||
run: |
|
||||
gitleaks detect \
|
||||
--source . \
|
||||
--redact \
|
||||
--exit-code 1
|
||||
# npm-advisory check (against pnpm-lock.yaml). Run last so
|
||||
# `pnpm install` does not pollute the working tree before the
|
||||
# scanners above.
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm audit
|
||||
|
||||
lighthouse-prod:
|
||||
# Skipped silently if the prod URL hasn't been configured yet.
|
||||
@@ -44,7 +90,6 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
|
||||
- run: pnpm exec lhci assert --config=./lighthouserc.js
|
||||
|
||||
Generated
+242
-242
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user