Skip to content
Security scan

dev: stable version #1

Sign in to view logs

dev: stable version

dev: stable version #1

Workflow file for this run

.github/workflows/security-scan.yml at 8f9b67e
name: Security scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 3 * * 0' # Every Sunday at 3 AM
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Run CodeQL Analysis
uses: github/codeql-action/init@v2
with:
languages: javascript
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
- name: Run npm audit
run: |
if [ -f package.json ]; then
npm audit --audit-level moderate || true
fi
- name: Check for known vulnerabilities
run: |
echo "Checking for common security issues..."
# Check for hardcoded secrets
if grep -r "password\|secret\|key\|token" *.js *.json 2>/dev/null | grep -v "//\|#" | grep -v "manifest\|package"; then
echo "⚠️ Warning: Potential hardcoded secrets found"
else
echo "✅ No obvious hardcoded secrets found"
fi
# Check for eval usage
if grep -r "eval(" *.js 2>/dev/null; then
echo "❌ Security issue: eval() usage found"
exit 1
else
echo "✅ No eval() usage found"
fi
# Check for innerHTML usage
if grep -r "innerHTML" *.js 2>/dev/null; then
echo "⚠️ Warning: innerHTML usage found (potential XSS risk)"
else
echo "✅ No innerHTML usage found"
fi