diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index 0478aad..bc2baa2 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -102,43 +102,6 @@ jobs: - name: Lint run: npm run lint - trivy-scan: - name: Security - Trivy Scan - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: ${{ inputs.node-version }} - cache: 'npm' - - - name: Cache dependencies - uses: actions/cache@v4 - id: node-modules-cache - with: - path: '**/node_modules' - key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-modules- - - - name: Install dependencies - if: steps.node-modules-cache.outputs.cache-hit != 'true' - run: npm ci - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 - with: - scan-type: 'fs' - scan-ref: '.' - format: 'table' - severity: 'CRITICAL,HIGH' - exit-code: '1' - ignore-unfixed: true - scanners: 'vuln' # Only scan for vulnerabilities, not secrets - fossa-scan: name: License - Fossa Scan runs-on: ubuntu-latest diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index c5d7f56..a9887da 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -18,6 +18,54 @@ jobs: secrets: fossa-api-key: ${{ secrets.FOSSA_API_KEY }} + check-dependency-changes: + name: Check for dependency changes + runs-on: ubuntu-latest + outputs: + deps-changed: ${{ steps.filter.outputs.deps }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Check for dependency file changes + id: filter + uses: dorny/paths-filter@v3 + with: + filters: | + deps: + - 'package.json' + - 'package-lock.json' + - 'Dockerfile' + + trivy-scan: + name: Security - Trivy Scan + needs: check-dependency-changes + if: needs.check-dependency-changes.outputs.deps-changed == 'true' + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22.1.0' + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + exit-code: '1' + ignore-unfixed: true + scanners: 'vuln' + build-docker-image: name: Build the Docker Image runs-on: ubuntu-latest diff --git a/.github/workflows/release-to-ghcr.yaml b/.github/workflows/release-to-ghcr.yaml index beec42d..9f9e7b8 100644 --- a/.github/workflows/release-to-ghcr.yaml +++ b/.github/workflows/release-to-ghcr.yaml @@ -128,9 +128,39 @@ jobs: VERSION: ${{ needs.get-context.outputs.new-version }} RELEASE_NOTES: ${{ steps.generate-notes.outputs.notes }} + trivy-scan: + name: Security - Trivy Scan + needs: [get-context] + if: ${{ needs.get-context.outputs.version-changed == 'true' }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.commit_sha || github.sha }} + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + + - name: Install dependencies + run: npm ci + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + exit-code: '1' + ignore-unfixed: true + scanners: 'vuln' + build-and-push: name: Build and push image to GHCR - needs: [get-context, create-release] + needs: [get-context, create-release, trivy-scan] if: ${{ needs.get-context.outputs.version-changed == 'true' }} runs-on: ubuntu-latest steps: