fix(ci): run scanners before pnpm install to avoid node_modules false positives #51

Merged
julien merged 1 commits from fix/ci/scan-before-install into main 2026-05-08 00:18:58 +02:00
2 changed files with 27 additions and 4 deletions
+15 -2
View File
@@ -55,14 +55,22 @@ jobs:
scan:
runs-on: [self-hosted, on-prem]
# Step ordering matters here: Trivy and gitleaks BOTH run before
# `pnpm install`. Reason: gitleaks scans the working tree
# (`--no-git --source .`), and after install, `node_modules/`
# and `.pnpm-store/` are full of upstream packages whose READMEs
# and test fixtures contain demo RSA keys / fake API tokens —
# gitleaks then false-positives on them by the hundreds (caught
# the hard way: 381 hits on the first run). Trivy reads
# `pnpm-lock.yaml` for its vuln scan, not `node_modules`, so it
# also doesn't need install. `pnpm ci:audit` does the same — it
# queries the advisory DB against the lockfile.
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:audit
# Dependency vulnerability scan. Trivy is a Go binary, not an npm
# package, so it cannot live in package.json scripts as cleanly
# as audit/lint do.
@@ -150,6 +158,11 @@ jobs:
--source . \
--redact \
--exit-code 1
# npm-advisory check (against pnpm-lock.yaml). Run last so
# `pnpm install` does not pollute the working tree before the
# scanners above.
- run: pnpm install --frozen-lockfile
- run: pnpm ci:audit
commits:
# PRs opened by Renovate (apf-portal-bot) carry commit messages
+12 -2
View File
@@ -14,6 +14,13 @@ on:
jobs:
full-tree-scan:
runs-on: [self-hosted, on-prem]
# Step ordering mirrors ci.yml: scanners run before `pnpm install`
# so the working tree is not polluted with node_modules content
# (READMEs / fixtures of upstream packages contain demo
# secrets that gitleaks false-positives on by the hundreds).
# The deep-history gitleaks scan here doesn't strictly need it
# (history doesn't contain node_modules), but consistency with
# ci.yml keeps the two workflows reading the same way.
steps:
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
# shallow + working-tree-only; this scheduled job is where we
@@ -26,8 +33,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: pnpm audit
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
# gate filters by severity for speed; this run wants the full
# surface for the security feed). Manual install + curl, same
@@ -69,6 +74,11 @@ jobs:
--source . \
--redact \
--exit-code 1
# npm-advisory check (against pnpm-lock.yaml). Run last so
# `pnpm install` does not pollute the working tree before the
# scanners above.
- run: pnpm install --frozen-lockfile
- run: pnpm audit
lighthouse-prod:
# Skipped silently if the prod URL hasn't been configured yet.