mirror of
https://github.com/hicccc77/WeFlow.git
synced 2026-04-02 23:15:59 +00:00
cc
GitHub
34
.github/workflows/security-scan.yml
vendored
34
.github/workflows/security-scan.yml
vendored
@@ -2,9 +2,9 @@ name: Security Scan
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 2 * * *' # 每天 UTC 02:00(北京时间 10:00)
|
- cron: '0 2 * * *' # 每天 UTC 02:00
|
||||||
workflow_dispatch: # 支持手动触发
|
workflow_dispatch: # 手动触发
|
||||||
pull_request: # 监控 PR
|
pull_request: # PR 时触发
|
||||||
branches: [ main, dev ]
|
branches: [ main, dev ]
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
@@ -33,18 +33,14 @@ jobs:
|
|||||||
uses: actions/setup-node@v4
|
uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version: '20'
|
node-version: '20'
|
||||||
|
cache: 'npm' # 使用 npm 缓存加速
|
||||||
- name: Install pnpm
|
|
||||||
uses: pnpm/action-setup@v3
|
|
||||||
with:
|
|
||||||
version: 9
|
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: pnpm install --frozen-lockfile --ignore-scripts
|
run: npm ci --ignore-scripts
|
||||||
|
|
||||||
# 1. npm audit - 检查依赖漏洞
|
# 1. npm audit - 检查依赖漏洞
|
||||||
- name: Dependency vulnerability audit
|
- name: Dependency vulnerability audit
|
||||||
run: pnpm audit --audit-level=moderate
|
run: npm audit --audit-level=moderate
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
|
|
||||||
# 2. CodeQL 静态分析
|
# 2. CodeQL 静态分析
|
||||||
@@ -69,7 +65,7 @@ jobs:
|
|||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
|
|
||||||
# 动态获取所有分支并扫描(排除已在 matrix 中的)
|
# 动态获取所有分支并扫描
|
||||||
scan-all-branches:
|
scan-all-branches:
|
||||||
name: Scan additional branches
|
name: Scan additional branches
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -79,19 +75,13 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- name: List all branches
|
- name: Run npm audit on all branches
|
||||||
id: branches
|
|
||||||
run: |
|
|
||||||
git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do
|
|
||||||
echo "Branch: $branch"
|
|
||||||
done
|
|
||||||
|
|
||||||
- name: Run pnpm audit on all branches
|
|
||||||
run: |
|
run: |
|
||||||
git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do
|
git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do
|
||||||
echo "===== Auditing branch: $branch ====="
|
echo "===== Auditing branch: $branch ====="
|
||||||
git checkout "$branch" 2>/dev/null || continue
|
git checkout "$branch" 2>/dev/null || continue
|
||||||
pnpm install --frozen-lockfile --silent 2>/dev/null || npm install --silent 2>/dev/null || true
|
# 尝试安装并审计
|
||||||
pnpm audit --audit-level=moderate 2>/dev/null || true
|
npm ci --ignore-scripts --silent 2>/dev/null || npm install --ignore-scripts --silent 2>/dev/null || true
|
||||||
|
npm audit --audit-level=moderate 2>/dev/null || true
|
||||||
done
|
done
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
Reference in New Issue
Block a user