mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-15 22:41:20 +03:00
dependabot[bot]
c5c812adc8
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.33.1 to 0.34.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/b6643a29fecd7f34b3597bc6acb0a98b03d33ff8...c1824fd6edce30d7ab345a9989de00bbd46ef284) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.34.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
101 lines
3.2 KiB
YAML
101 lines
3.2 KiB
YAML
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
push:
|
|
branches: [main]
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
lint-typescript:
|
|
name: Lint TypeScript/React
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: ESLint
|
|
run: npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --max-warnings 0
|
|
- name: TypeScript Check
|
|
run: npx tsc --noEmit
|
|
- name: Build Check
|
|
run: npm run build
|
|
|
|
lint-python:
|
|
name: Lint Python
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: '3.12'
|
|
- name: Ruff (lint + format check)
|
|
run: pipx run --spec "ruff==0.6.9" ruff check utils/ --output-format=github
|
|
- name: Bandit (security)
|
|
run: pipx run --spec "bandit==1.7.9" bandit -r utils/ -ll
|
|
|
|
lint-shell:
|
|
name: Lint Shell Scripts
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: ShellCheck
|
|
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
|
|
with:
|
|
scandir: './scripts'
|
|
severity: warning
|
|
|
|
security-scan:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Trivy FS Scan
|
|
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
- name: Trivy Config Scan
|
|
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
|
|
with:
|
|
scan-type: 'config'
|
|
scan-ref: '.'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|
|
|
|
dependency-audit:
|
|
name: Dependency Audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: npm audit
|
|
run: npm audit --audit-level=high --registry=https://registry.npmjs.org
|
|
- name: Check for outdated deps
|
|
run: npm outdated || true
|
|
|
|
clawsec-suite-tests:
|
|
name: ClawSec Suite Verification Tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
|
with:
|
|
node-version: '20'
|
|
- name: Feed Verification Tests
|
|
run: node skills/clawsec-suite/test/feed_verification.test.mjs
|
|
- name: Guarded Install Tests
|
|
run: node skills/clawsec-suite/test/guarded_install.test.mjs
|