Skip to content
CI/Security

[StepSecurity] Apply security best practices (#63) #4

Sign in to view logs

[StepSecurity] Apply security best practices (#63)

[StepSecurity] Apply security best practices (#63) #4

Workflow file for this run

.github/workflows/security.yml at 89001ab
name: 'CI/Security'
on:
schedule:
- cron: '33 3 * * 1'
push:
branches: ['dev']
paths-ignore:
- '*.md'
- '.*ignore'
pull_request:
branches: ['dev']
paths-ignore:
- '*.md'
- '.*ignore'
permissions: read-all
jobs:
codeql:
name: 'CodeQL analysis'
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
language: ['javascript', 'typescript']
steps:
- name: 'Harden Runner'
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: 'Checkout'
uses: actions/checkout@v4
- name: 'Setup CodeQL'
uses: github/codeql-action/init@v3
with:
languages: '${{ matrix.language }}'
- name: 'Run analysis'
uses: github/codeql-action/analyze@v3
with:
category: '/language:${{matrix.language}}'
scoreboard:
name: 'Scorecard analysis'
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
steps:
- name: 'Harden Runner'
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: 'Checkout'
uses: actions/checkout@v4
with:
persist-credentials: false
- name: 'Run analysis'
uses: ossf/[email protected]
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: 'Upload artifact'
uses: actions/upload-artifact@v4
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: 'Upload to code-scanning'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif