Skip to content
+audit (cargo deny + npm audit)

Remove some internal concerns + govnet from local-env #7701

Sign in to view logs

Remove some internal concerns + govnet from local-env

Remove some internal concerns + govnet from local-env #7701

Workflow file for this run

.github/workflows/security-audit-scan.yml at 9959123
name: +audit (cargo deny + npm audit)
on:
merge_group:
pull_request:
branches: ["**"]
paths-ignore:
- "changes/**"
push:
branches: ["main"]
# no top level default permissions for security reasons
permissions: {}
concurrency:
group: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow, github.head_ref) || github.run_id }}
cancel-in-progress: true
jobs:
audit-rust:
name: audit job cargo
permissions:
contents: read
security-events: write
actions: write
if: github.event_name != 'merge_group'
runs-on: ubuntu-latest
env:
FORCE_COLOR: 1
steps:
- name: Checkout node repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
submodules: true
- id: guard
uses: ./.github/actions/tree-cache-guard
- uses: EarthBuild/actions-setup@cae2d9ab68894d8402751fe42e07c7cca0272f7f
if: steps.guard.outputs.hit != 'true'
with:
version: v0.8.16
github-token: ${{ github.token }}
use-cache: false
- name: Run cargo deny
if: steps.guard.outputs.hit != 'true'
run: |
. ./.envrc && earthly --use-inline-cache --strict +audit-rust
- name: Fix cargo-deny SARIF format
if: steps.guard.outputs.hit != 'true' && hashFiles('scan_reports/cargo-deny.sarif') != ''
run: |
# cargo-deny produces snippet/message as strings, but SARIF spec requires objects
jq '(.. | .snippet? | strings) |= {"text": .}' scan_reports/cargo-deny.sarif | \
jq '(.. | .message? | select(type == "string")) |= {"text": .}' > scan_reports/cargo-deny-fixed.sarif
mv scan_reports/cargo-deny-fixed.sarif scan_reports/cargo-deny.sarif
- name: Upload cargo-deny SARIF
uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #codeql-bundle-v2.23.6
if: (success() || failure()) && steps.guard.outputs.hit != 'true' && hashFiles('scan_reports/cargo-deny.sarif') != ''
continue-on-error: true
with:
sarif_file: scan_reports/cargo-deny.sarif
category: cargo-deny
- uses: ./.github/actions/tree-cache-guard/save
if: steps.guard.outputs.hit != 'true'
with:
key: ${{ steps.guard.outputs.key }}
audit-typescript:
name: audit job npm
permissions:
contents: read
security-events: write
actions: write
if: github.event_name != 'merge_group'
runs-on: ubuntu-latest
env:
FORCE_COLOR: 1
steps:
- name: Checkout node repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
submodules: true
- id: guard
uses: ./.github/actions/tree-cache-guard
- uses: EarthBuild/actions-setup@cae2d9ab68894d8402751fe42e07c7cca0272f7f
if: steps.guard.outputs.hit != 'true'
with:
version: v0.8.16
github-token: ${{ github.token }}
use-cache: false
- name: Run npm audit
if: steps.guard.outputs.hit != 'true'
run: |
. ./.envrc && earthly --use-inline-cache --strict +audit-nodejs
- name: Upload npm-audit-local-environment SARIF
uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #codeql-bundle-v2.23.6
if: (success() || failure()) && steps.guard.outputs.hit != 'true' && hashFiles('scan_reports/npm-audit-local-environment.sarif') != ''
continue-on-error: true
with:
sarif_file: scan_reports/npm-audit-local-environment.sarif
category: npm-audit-local-environment
- name: Upload npm-audit-node-toolkit-js SARIF
uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #codeql-bundle-v2.23.6
if: (success() || failure()) && steps.guard.outputs.hit != 'true' && hashFiles('scan_reports/npm-audit-toolkit-js.sarif') != ''
continue-on-error: true
with:
sarif_file: scan_reports/npm-audit-toolkit-js.sarif
category: npm-audit-node-toolkit-js
- uses: ./.github/actions/tree-cache-guard/save
if: steps.guard.outputs.hit != 'true'
with:
key: ${{ steps.guard.outputs.key }}