Scheduled daily vulnerability scan

Signed-off-by: Mark S. Lewis <[email protected]>
hyperledger · May 2, 2024 · 4981774 · 4981774
1 parent 36464ca
commit 4981774
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 26 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -127,29 +127,3 @@ jobs:
         with:
           name: TestLogs
           path: "**/*.build.log"
-
-
-  # Job to handle the auditing of the code
-  # NPM audit is run on a 'fake' installation of the libraries
-  # Pulling in all the dependencies it will be able to run NPM AUDIT, and if that returns a
-  # error code the job will fail.
-  src_audit:
-    runs-on: ubuntu-20.04
-    needs: build
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '18.x'
-      - uses: actions/download-artifact@v4
-        with:
-          name: node-tgzs
-          path: build/
-      - name: run audit
-        run: |
-          set -xev -o pipefail
-          node common/scripts/install-run-rush.js install
-          node common/scripts/install-run-rush.js start-verdaccio # script will check for the ci variable and use built images
-          mkdir -p audit && cd audit && npm init -y
-          npm install --registry http://localhost:4873 fabric-shim fabric-shim-api fabric-contract-api --save
-          npm audit --audit-level=moderate
diff --git a/.github/workflows/vulnerability-scan.yaml b/.github/workflows/vulnerability-scan.yaml
@@ -0,0 +1,37 @@
+name: "Security vulnerability scan"
+
+on:
+  schedule:
+    - cron: "55 2 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  # Job to handle the auditing of the code
+  # NPM audit is run on a 'fake' installation of the libraries
+  # Pulling in all the dependencies it will be able to run NPM AUDIT, and if that returns a
+  # error code the job will fail.
+  scan:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+      - name: Install
+        run: node common/scripts/install-run-rush.js install
+      - name: Build packages
+        run: node common/scripts/install-run-rush.js publish --include-all --pack --release-folder tgz --publish
+      - name: Start local NPM registry
+        run: node common/scripts/install-run-rush.js start-verdaccio # script will check for the ci variable and use built images
+      - name: Deploy scan project
+        run: |
+          mkdir -p audit
+          cd audit
+          npm init --yes
+          npm install --save --package-lock-only --registry http://localhost:4873 fabric-shim fabric-shim-api fabric-contract-api
+      - name: Scan
+        working-directory: audit
+        run: npm audit --omit=dev