update workflow and readme
This commit is contained in:
parent
4057517676
commit
ee7c1c52d3
|
@ -1,23 +0,0 @@
|
|||
name: Code Review - TypeScript
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: ['main']
|
||||
push:
|
||||
|
||||
jobs:
|
||||
semgrep:
|
||||
name: Code Scan
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: returntocorp/semgrep
|
||||
|
||||
if: (github.actor != 'dependabot[bot]')
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- run: semgrep ci --exclude 'public/charting_library'
|
||||
env:
|
||||
SEMGREP_RULES: p/typescript
|
|
@ -1,4 +1,4 @@
|
|||
name: Dependency Security Scan
|
||||
name: Code Review
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
|
@ -6,10 +6,42 @@ on:
|
|||
push:
|
||||
|
||||
jobs:
|
||||
trivy:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Setup node
|
||||
uses: actions/setup-node@v3
|
||||
with:
|
||||
node-version: '18.x'
|
||||
registry-url: 'https://registry.npmjs.org'
|
||||
|
||||
# use yarn setup to include allow-script config
|
||||
- name: Run yarn setup
|
||||
run: yarn setup
|
||||
|
||||
- name: Run build
|
||||
run: yarn build
|
||||
|
||||
semgrep:
|
||||
name: Code Scan
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: returntocorp/semgrep
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- run: semgrep ci --exclude 'public/charting_library'
|
||||
env:
|
||||
SEMGREP_RULES: p/typescript
|
||||
|
||||
sca:
|
||||
name: Dependency Scan
|
||||
runs-on: ubuntu-latest
|
||||
if: (github.actor != 'dependabot[bot]')
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
@ -21,7 +53,6 @@ jobs:
|
|||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
hide-progress: true
|
||||
security-checks: 'vuln' # disable secrets scanning until public
|
||||
format: 'table'
|
||||
|
||||
# Fail the job on critical vulnerabiliies with fix available
|
||||
|
@ -34,4 +65,4 @@ jobs:
|
|||
security-checks: 'vuln' # disable secrets scanning until public
|
||||
format: 'table'
|
||||
severity: 'CRITICAL'
|
||||
exit-code: '1'
|
||||
exit-code: '1'
|
13
README.md
13
README.md
|
@ -1,5 +1,18 @@
|
|||
This is a [Next.js](https://nextjs.org/) project bootstrapped with [`create-next-app`](https://github.com/vercel/next.js/tree/canary/packages/create-next-app).
|
||||
|
||||
## Working with dependencies
|
||||
Whenever you change dependencies (adding, removing, or updating), there are various files that must be kept up-to-date. Newly added, or updated dependencies, can introduce unwanted scripts that runs unknowingly, that could introduce risks for users and/or developers. The `lavamoat allow-scripts` feature allows us to control this with a zero trust approach, but adds some additional steps to the usual workflow.
|
||||
|
||||
`yarn.lock`:
|
||||
- Instead of running `yarn` or `yarn install`, run `yarn setup` to ensure the `yarn.lock` file is in sync and that the dependency scripts are run according to the `allow-script` policy (set in `packages.json`)
|
||||
|
||||
The `allow-scripts` configuration in `package.json`:
|
||||
- Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run.
|
||||
- Alternatively update the allow-scripts section manually.
|
||||
- Review each new package to determine whether the install script needs to run or not, testing if necessary.
|
||||
- Use `npx can-i-ignore-scripts` to help assessing whether scripts are needed
|
||||
|
||||
|
||||
## Getting Started
|
||||
|
||||
First, run the development server:
|
||||
|
|
Loading…
Reference in New Issue