From c80115d0f7e9f9375755f5a2ac2837fe04758d68 Mon Sep 17 00:00:00 2001 From: hicccc77 <98377878+hicccc77@users.noreply.github.com> Date: Fri, 27 Mar 2026 17:56:35 +0800 Subject: [PATCH 1/3] ci: add daily security scan workflow for all branches --- .github/workflows/security-scan.yml | 90 +++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..2dd6947 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,90 @@ +name: Security Scan + +on: + schedule: + - cron: '0 2 * * *' # 每天 UTC 02:00(北京时间 10:00) + workflow_dispatch: # 支持手动触发 + +jobs: + security-scan: + name: Security Scan (${{ matrix.branch }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + branch: + - main + + steps: + - name: Checkout ${{ matrix.branch }} + uses: actions/checkout@v4 + with: + ref: ${{ matrix.branch }} + fetch-depth: 0 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Install pnpm + uses: pnpm/action-setup@v3 + with: + version: 9 + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + # 1. npm audit - 检查依赖漏洞 + - name: Dependency vulnerability audit + run: pnpm audit --audit-level=moderate + continue-on-error: true + + # 2. CodeQL 静态分析 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: javascript, typescript + queries: security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: '/language:javascript-typescript/branch:${{ matrix.branch }}' + + # 3. 密钥/敏感信息扫描 + - name: Secret scanning with Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + continue-on-error: true + + # 动态获取所有分支并扫描(排除已在 matrix 中的) + scan-all-branches: + name: Scan additional branches + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: List all branches + id: branches + run: | + git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do + echo "Branch: $branch" + done + + - name: Run pnpm audit on all branches + run: | + git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do + echo "===== Auditing branch: $branch =====" + git checkout "$branch" 2>/dev/null || continue + pnpm install --frozen-lockfile --silent 2>/dev/null || npm install --silent 2>/dev/null || true + pnpm audit --audit-level=moderate 2>/dev/null || true + done + continue-on-error: true From bb60694013a5b7e6fd25148c13667939997480bf Mon Sep 17 00:00:00 2001 From: hicccc77 <98377878+hicccc77@users.noreply.github.com> Date: Fri, 27 Mar 2026 18:17:26 +0800 Subject: [PATCH 2/3] ci: fix pnpm install frozen-lockfile issue --- .github/workflows/security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 2dd6947..6e358c1 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -33,7 +33,7 @@ jobs: version: 9 - name: Install dependencies - run: pnpm install --frozen-lockfile + run: pnpm install --no-frozen-lockfile # 1. npm audit - 检查依赖漏洞 - name: Dependency vulnerability audit From da15f829d35705fa74bfbd3f94f0bb523b3d16b0 Mon Sep 17 00:00:00 2001 From: hicccc77 <98377878+hicccc77@users.noreply.github.com> Date: Fri, 27 Mar 2026 19:12:20 +0800 Subject: [PATCH 3/3] ci: add security-events write permission for CodeQL --- .github/workflows/security-scan.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 6e358c1..82c328c 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -5,6 +5,11 @@ on: - cron: '0 2 * * *' # 每天 UTC 02:00(北京时间 10:00) workflow_dispatch: # 支持手动触发 +permissions: + contents: read + security-events: write + actions: read + jobs: security-scan: name: Security Scan (${{ matrix.branch }})