mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
dependabot[bot]
d23f1f9612
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from e368e328979b113139d6f9068e03accaed98a518 to ed142fd0673e97e23eac54620cfb913e5ce36c25. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/e368e328979b113139d6f9068e03accaed98a518...ed142fd0673e97e23eac54620cfb913e5ce36c25) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 264c9c5e188ea085e7377fd77abd17bfbd4e5926 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
137 lines
4.7 KiB
YAML
137 lines
4.7 KiB
YAML
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
lint-typescript:
|
|
name: Lint TypeScript/React (${{ matrix.os }})
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os:
|
|
- ubuntu-latest
|
|
- macos-latest
|
|
- windows-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: ESLint
|
|
run: npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --max-warnings 0
|
|
- name: TypeScript Check
|
|
run: npx tsc --noEmit
|
|
- name: Build Check
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: npm run build
|
|
|
|
lint-python:
|
|
name: Lint Python
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: '3.12'
|
|
- name: Ruff (lint + format check)
|
|
run: pipx run --spec "ruff==0.6.9" ruff check utils/ --output-format=github
|
|
- name: Bandit (security)
|
|
run: pipx run --spec "bandit==1.7.9" bandit -r utils/ -ll
|
|
|
|
lint-shell:
|
|
name: Lint Shell Scripts
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: ShellCheck
|
|
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
|
|
with:
|
|
scandir: './scripts'
|
|
severity: warning
|
|
|
|
security-scan:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Trivy FS Scan
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.34.1
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
- name: Trivy Config Scan
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.34.1
|
|
with:
|
|
scan-type: 'config'
|
|
scan-ref: '.'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|
|
|
|
dependency-audit:
|
|
name: Dependency Audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: npm audit
|
|
run: npm audit --audit-level=high --registry=https://registry.npmjs.org
|
|
- name: Check for outdated deps
|
|
run: npm outdated || true
|
|
|
|
clawsec-suite-tests:
|
|
name: ClawSec Suite Verification Tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: Feed Verification Tests
|
|
run: node skills/clawsec-suite/test/feed_verification.test.mjs
|
|
- name: Guarded Install Tests
|
|
run: node skills/clawsec-suite/test/guarded_install.test.mjs
|
|
- name: Advisory Suppression Tests
|
|
run: node skills/clawsec-suite/test/advisory_suppression.test.mjs
|
|
- name: Path Resolution Tests
|
|
run: node skills/clawsec-suite/test/path_resolution.test.mjs
|
|
- name: Fuzz Property Tests
|
|
run: node skills/clawsec-suite/test/fuzz_properties.test.mjs
|
|
- name: Semver/Scope/Suppression Fuzz Tests
|
|
run: node skills/clawsec-suite/test/fuzz_semver_scope_suppression.test.mjs
|
|
- name: Advisory Application Scope Tests
|
|
run: node skills/clawsec-suite/test/advisory_application_scope.test.mjs
|
|
|
|
openclaw-audit-watchdog-tests:
|
|
name: OpenClaw Audit Watchdog Tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: Suppression Config Tests
|
|
run: node skills/openclaw-audit-watchdog/test/suppression_config.test.mjs
|
|
- name: Suppression Config Fuzz Tests
|
|
run: node skills/openclaw-audit-watchdog/test/suppression_config_fuzz.test.mjs
|
|
- name: Render Report Suppression Tests
|
|
run: node skills/openclaw-audit-watchdog/test/render_report_suppression.test.mjs
|