platform/blackroad-os-web
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e4f77b2339c81283f6eb90798feaf45ee1c62c4
blackroad-os-web/.github/workflows/security-scan.yml
Your Name 64c51ba295 fix: Pin all GitHub Actions to full commit SHAs (13 files) 
Security compliance - SHA pinning for all actions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-14 23:01:02 -06:00

56 lines
1.4 KiB
YAML
Raw Blame History

name: 🔒 Security Scan
on:
push:
branches: [main, master, dev]
pull_request:
branches: [main, master]
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
permissions:
contents: read
security-events: write
actions: read
jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['javascript', 'typescript', 'python']
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Initialize CodeQL
uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f
dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Run npm audit
if: hashFiles('package.json') != ''
run: npm audit --audit-level=moderate || true
- name: Dependency Review
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3571e89a4315193b17
if: github.event_name == 'pull_request'
Reference in New Issue View Git Blame Copy Permalink