mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
David Abutbul
88 lines
2.1 KiB
YAML
88 lines
2.1 KiB
YAML
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
push:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
lint-typescript:
|
|
name: Lint TypeScript/React
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: ESLint
|
|
run: npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --max-warnings 0
|
|
- name: TypeScript Check
|
|
run: npx tsc --noEmit
|
|
- name: Build Check
|
|
run: npm run build
|
|
|
|
lint-python:
|
|
name: Lint Python
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
- name: Install linters
|
|
run: pip install ruff bandit
|
|
- name: Ruff (lint + format check)
|
|
run: ruff check utils/ --output-format=github
|
|
- name: Bandit (security)
|
|
run: bandit -r utils/ -ll
|
|
|
|
lint-shell:
|
|
name: Lint Shell Scripts
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: ShellCheck
|
|
uses: ludeeus/action-shellcheck@master
|
|
with:
|
|
scandir: './scripts'
|
|
severity: warning
|
|
|
|
security-scan:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Trivy FS Scan
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
- name: Trivy Config Scan
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'config'
|
|
scan-ref: '.'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|
|
|
|
dependency-audit:
|
|
name: Dependency Audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
- run: npm ci
|
|
- name: npm audit
|
|
run: npm audit --audit-level=high --registry=https://registry.npmjs.org
|
|
- name: Check for outdated deps
|
|
run: npm outdated || true
|