chore(studio-deps-dev)(deps-dev): bump resolve from 1.22.10 to 1.22.11 in /studio #312
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ArcadeDB Studio Security Audit Workflow | |
| # Runs automated security checks on the frontend dependencies | |
| name: "Studio Security Audit" | |
| on: | |
| # Run on all pushes to main and PRs | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - "studio/**" | |
| - ".github/workflows/studio-security-audit.yml" | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - "studio/**" | |
| - ".github/workflows/studio-security-audit.yml" | |
| # Run weekly security audit | |
| schedule: | |
| - cron: "0 6 * * 1" # Every Monday at 6 AM UTC | |
| # Allow manual triggering | |
| workflow_dispatch: | |
| jobs: | |
| security-audit: | |
| name: "Frontend Security Audit" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: ./studio | |
| steps: | |
| - name: "Checkout Repository" | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: "Setup Node.js" | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: "18" | |
| cache: "npm" | |
| cache-dependency-path: "studio/package-lock.json" | |
| - name: "Install Dependencies" | |
| run: npm ci | |
| - name: "Run npm Security Audit" | |
| run: | | |
| echo "🔍 Running npm security audit..." | |
| npm audit --audit-level=moderate | |
| - name: "Check for Outdated Packages" | |
| run: | | |
| echo "📊 Checking for outdated packages..." | |
| npm outdated || true | |
| - name: "Run Comprehensive Security Audit Script" | |
| run: | | |
| echo "🔐 Running comprehensive security audit..." | |
| chmod +x ./scripts/security-audit.sh | |
| ./scripts/security-audit.sh | |
| - name: "Validate Package.json" | |
| run: | | |
| echo "📋 Validating package.json..." | |
| # Check for known vulnerable packages | |
| if grep -q "jquery.*1\." package.json; then | |
| echo "❌ Vulnerable jQuery 1.x detected!" | |
| exit 1 | |
| fi | |
| if grep -q "bootstrap.*[1-4]\." package.json; then | |
| echo "❌ Vulnerable Bootstrap 4.x or earlier detected!" | |
| exit 1 | |
| fi | |
| if grep -q "sweetalert2.*1[0-1]\.[0-5]" package.json; then | |
| echo "❌ Potentially vulnerable SweetAlert2 version detected!" | |
| exit 1 | |
| fi | |
| echo "✅ Package versions look secure" | |
| - name: "Test Build Process" | |
| run: | | |
| echo "🏗️ Testing build process..." | |
| npm run build | |
| - name: "Analyze Bundle Size" | |
| run: | | |
| echo "📦 Analyzing bundle sizes..." | |
| if [ -d "src/main/resources/static/dist" ]; then | |
| echo "Built assets:" | |
| du -h src/main/resources/static/dist/**/* | sort -hr | head -10 | |
| # Check for unexpectedly large bundles | |
| find src/main/resources/static/dist -name "*.js" -size +1M | while read file; do | |
| echo "⚠️ Large bundle detected: $file ($(stat -f%z "$file" 2>/dev/null || stat -c%s "$file") bytes)" | |
| done | |
| else | |
| echo "❌ Build output not found!" | |
| exit 1 | |
| fi | |
| - name: "License Compliance Check" | |
| run: | | |
| echo "🏷️ Checking license compliance..." | |
| # Use npx for license-checker | |
| if npx license-checker --version &> /dev/null; then | |
| echo "Running license compliance check with npx..." | |
| npx license-checker --summary --excludePrivatePackages | |
| # Check for problematic licenses | |
| npx license-checker --excludePrivatePackages --onlyAllow "MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;0BSD" || echo "⚠️ Non-standard licenses detected - review required" | |
| else | |
| echo "ℹ️ license-checker not available, skipping detailed license analysis" | |
| fi | |
| - name: "Security Summary" | |
| if: always() | |
| run: | | |
| echo "" | |
| echo "🔒 Security Audit Summary" | |
| echo "========================" | |
| echo "✅ npm audit: $(npm audit --audit-level=high --json | jq -r '.metadata.vulnerabilities.high // 0') high-severity vulnerabilities" | |
| echo "✅ Package validation: Completed" | |
| echo "✅ Build process: Verified" | |
| echo "✅ Bundle analysis: Completed" | |
| echo "" | |
| echo "For detailed security information, see the security audit script output above." | |
| dependency-review: | |
| name: "Dependency Review" | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: "Checkout Repository" | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: "Dependency Review" | |
| uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1 | |
| with: | |
| fail-on-severity: moderate | |
| allow-dependencies-licenses: "MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD" | |
| deny-licenses: "GPL-2.0, GPL-3.0, AGPL-3.0" | |
| config-file: ".github/dependency-review-config.yml" | |
| codeql-analysis: | |
| name: "CodeQL Security Analysis" | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' || github.event_name == 'schedule' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: "Checkout Repository" | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: "Initialize CodeQL" | |
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | |
| with: | |
| languages: javascript | |
| queries: security-and-quality | |
| - name: "Perform CodeQL Analysis" | |
| uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 |