59 lines
1.5 KiB
YAML
59 lines
1.5 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
schedule:
|
|
- cron: '0 3 * * 1'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
backend-security:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version-file: backend/go.mod
|
|
check-latest: false
|
|
cache-dependency-path: backend/go.sum
|
|
- name: Verify Go version
|
|
run: |
|
|
go version | grep -q 'go1.25.7'
|
|
- name: Run govulncheck
|
|
working-directory: backend
|
|
run: |
|
|
go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
govulncheck ./...
|
|
|
|
frontend-security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Set up pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 9
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v6
|
|
with:
|
|
node-version: '20'
|
|
cache: 'pnpm'
|
|
cache-dependency-path: frontend/pnpm-lock.yaml
|
|
- name: Install dependencies
|
|
working-directory: frontend
|
|
run: pnpm install --frozen-lockfile
|
|
- name: Run pnpm audit
|
|
working-directory: frontend
|
|
run: |
|
|
pnpm audit --prod --audit-level=high --json > audit.json || true
|
|
- name: Check audit exceptions
|
|
run: |
|
|
python tools/check_pnpm_audit_exceptions.py \
|
|
--audit frontend/audit.json \
|
|
--exceptions .github/audit-exceptions.yml
|