added actions for node and semgrep

finos · Dec 14, 2022 · 6b2abe7 · 6b2abe7
1 parent 9fc2f17
commit 6b2abe7
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/.github/workflows/cve-scanning-node.yml b/.github/workflows/cve-scanning-node.yml
@@ -0,0 +1,24 @@
+name: CVE Scanning for Node.js
+
+on:
+  push:
+    paths:
+      - 'package.json'
+      - 'package-lock.json'
+      - 'allow-list.json'
+      - '.github/workflows/cve-scanning-node.yml'
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [16.x]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci --prod
+      - run: npx --yes auditjs ossi --whitelist allow-list.json
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,15 @@
+name: Static code analysis
+
+on: [push, pull_request]
+
+jobs:
+  semgrep:
+    name: run-semgrep
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+    - uses: actions/checkout@v3
+    - run: semgrep scan --error --config auto
+      env:
+        SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
diff --git a/allow-list.json b/allow-list.json
@@ -0,0 +1,4 @@
+{
+    "ignore": [
+    ]
+}