Skip to content
πŸ›‘οΈ Security Scanning

Update security-scan.yml #17

Sign in to view logs

Update security-scan.yml

Update security-scan.yml #17

Workflow file for this run

.github/workflows/security-scan.yml at 07a5382
name: πŸ›‘οΈ Security Scanning
on:
schedule:
- cron: '0 6 * * 1' # Every Monday at 6 AM
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-scan:
name: πŸ” Comprehensive Security Scan
runs-on: ubuntu-latest
steps:
- name: πŸ“₯ Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Needed for TruffleHog to compare commits
- name: πŸ—οΈ Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18.x'
cache: 'npm'
- name: πŸ“¦ Install dependencies
run: npm ci
- name: πŸ”’ NPM Audit
run: |
npm audit --audit-level=high || true
npm audit fix --dry-run || true
- name: 🚨 Snyk Security Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high --sarif-file-output=snyk.sarif
- name: πŸ“Š Snyk Code Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: code test --sarif-file-output=snyk-code.sarif
- name: πŸ“ Upload Snyk Reports
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
continue-on-error: true # Don't fail if SARIF upload fails
- name: πŸ“ Upload Snyk Code Reports
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-code.sarif
continue-on-error: true
- name: πŸ” Secret Scanning
uses: trufflesecurity/trufflehog-github-actions@main
with:
path: ./
base: ${{ github.event.before }}
head: ${{ github.event.after }}
- name: πŸ›‘οΈ OWASP Dependency Check
uses: dependency-check/[email protected] # Fixed version
with:
project: 'EM-Zilla'
path: ./
format: 'HTML'
out: 'reports/'
- name: πŸ“€ Upload Security Report
uses: actions/upload-artifact@v4
with:
name: security-reports
path: |
reports/
*.sarif
retention-days: 90