TDvorak/swingmusic-extended
1
0
Fork 0
mirror of https://github.com/Dvorinka/swingmusic-extended.git synced 2026-06-03 20:13:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
523ebf1c949e3f27b1ed140161b4146d2299bf23
swingmusic-extended/.github/workflows/security.yml
T
Tomas Dvorak d7ab552e6a update
2026-03-22 10:55:22 +01:00

149 lines
3.5 KiB
YAML
Raw Blame History

name: Security Scanning
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run weekly on Monday at 00:00 UTC
- cron: '0 0 * * 1'
workflow_dispatch:
jobs:
# ===========================================
# CODEQL ANALYSIS
# ===========================================
codeql-backend:
name: CodeQL (Python)
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: python
queries: security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:python"
codeql-frontend:
name: CodeQL (JavaScript/TypeScript)
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
queries: security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript-typescript"
# ===========================================
# DEPENDENCY VULNERABILITY SCANNING
# ===========================================
pip-audit:
name: Python Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install pip-audit
run: pip install pip-audit
- name: Run pip-audit
run: pip-audit --requirement requirements.txt --format=json --no-deps
continue-on-error: true
npm-audit-web:
name: NPM Audit (Web Client)
runs-on: ubuntu-latest
defaults:
run:
working-directory: swingmusic-webclient
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: npm ci || npm install
- name: Run npm audit
run: npm audit --audit-level=moderate
continue-on-error: true
npm-audit-desktop:
name: NPM Audit (Desktop)
runs-on: ubuntu-latest
defaults:
run:
working-directory: swingmusic-desktop
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: npm ci || npm install
- name: Run npm audit
run: npm audit --audit-level=moderate
continue-on-error: true
# ===========================================
# SECRET SCANNING
# ===========================================
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
extra_args: --only-verified
Reference in New Issue View Git Blame Copy Permalink