chore: add react doctor (#104) #184
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| security: | |
| name: Security Checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.29.3 | |
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> "$GITHUB_ENV" | |
| - name: Setup pnpm cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run gitleaks (full repo scan) | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| with: | |
| config-path: .gitleaks.toml | |
| redact: true | |
| verbose: true | |
| exit-code: 1 | |
| fail: true | |
| - name: Run TruffleHog OSS (git scan) | |
| uses: trufflesecurity/trufflehog@821e8b9e5cdf8dc484dd23e06f78941fcf6b9191 | |
| with: | |
| path: ./ | |
| base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} | |
| head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
| extra_args: --exclude-paths=.trufflehogignore --only-verified | |
| - name: Install OSV Scanner | |
| run: | | |
| ARCH=$(uname -m) | |
| if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; elif [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi | |
| wget -O /tmp/osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_${ARCH} | |
| chmod +x /tmp/osv-scanner | |
| sudo mv /tmp/osv-scanner /usr/local/bin/ | |
| osv-scanner --version | |
| - name: Run OSV Scanner | |
| run: | | |
| echo "π Scanning dependencies for known vulnerabilities..." | |
| set +e | |
| osv-scanner scan --lockfile=pnpm-lock.yaml --format=markdown | |
| EXIT_CODE=$? | |
| set -e | |
| if [ $EXIT_CODE -ne 0 ]; then | |
| echo "" | |
| echo "β SECURITY ISSUE: OSV Scanner found known vulnerabilities in dependencies" | |
| echo "Review the output above for details about affected packages" | |
| echo "Update or replace vulnerable dependencies" | |
| exit 1 | |
| fi | |
| echo "β No known vulnerabilities found in dependencies" | |
| - name: Run pnpm audit | |
| run: | | |
| echo "π Running pnpm audit for dependency vulnerabilities..." | |
| set +e | |
| pnpm audit --audit-level=high | |
| EXIT_CODE=$? | |
| set -e | |
| if [ $EXIT_CODE -ne 0 ]; then | |
| echo "" | |
| echo "β SECURITY ISSUE: pnpm audit found vulnerabilities with severity >= high" | |
| echo "Review the audit output above for details about vulnerable packages" | |
| echo "Run 'pnpm audit fix' or update affected packages" | |
| exit 1 | |
| fi | |
| echo "β No high or critical severity vulnerabilities found" |