update workflow and readme

2023-01-25 23:05:57 +00:00 · 2023-01-25 23:05:57 +00:00 · ee7c1c52d3
parent 4057517676
commit ee7c1c52d3
3 changed files with 49 additions and 28 deletions
--- a/.github/workflows/ci-code-review-ts.yml
+++ b/.github/workflows/ci-code-review-ts.yml
@ -1,23 +0,0 @@
-name: Code Review - TypeScript
-
-on:
-  pull_request: 
-    branches: ['main']
-  push:
-
-jobs:
-  semgrep:
-    name: Code Scan
-    runs-on: ubuntu-latest
-    container:
-      image: returntocorp/semgrep
-
-    if: (github.actor != 'dependabot[bot]')
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - run: semgrep ci --exclude 'public/charting_library'
-        env:
-           SEMGREP_RULES: p/typescript
--- a/.github/workflows/ci-dependency-scan.yml
+++ b/.github/workflows/ci-dependency-scan.yml
@ -1,4 +1,4 @@
-name: Dependency Security Scan
+name: Code Review

 on:
  pull_request: 
@ -6,10 +6,42 @@ on:
  push:

 jobs:
-  trivy:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '18.x'
+          registry-url: 'https://registry.npmjs.org'
+
+      # use yarn setup to include allow-script config
+      - name: Run yarn setup
+        run: yarn setup
+
+      - name: Run build
+        run: yarn build
+
+  semgrep:
+    name: Code Scan
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - run: semgrep ci --exclude 'public/charting_library'
+        env:
+           SEMGREP_RULES: p/typescript
+  
+  sca:
    name: Dependency Scan
    runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]')
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
@ -21,7 +53,6 @@ jobs:
          scan-type: 'fs'
          ignore-unfixed: true
          hide-progress: true
-          security-checks: 'vuln' # disable secrets scanning until public
          format: 'table'
          
      # Fail the job on critical vulnerabiliies with fix available
--- a/README.md
+++ b/README.md
@ -1,5 +1,18 @@
 This is a [Next.js](https://nextjs.org/) project bootstrapped with [`create-next-app`](https://github.com/vercel/next.js/tree/canary/packages/create-next-app).

+## Working with dependencies
+Whenever you change dependencies (adding, removing, or updating), there are various files that must be kept up-to-date. Newly added, or updated dependencies, can introduce unwanted scripts that runs unknowingly, that could introduce risks for users and/or developers. The `lavamoat allow-scripts` feature allows us to control this with a zero trust approach, but adds some additional steps to the usual workflow.
+
+`yarn.lock`:
+- Instead of running `yarn` or `yarn install`, run `yarn setup` to ensure the `yarn.lock` file is in sync and that the dependency scripts are run according to the `allow-script` policy (set in `packages.json`)
+
+The `allow-scripts` configuration in `package.json`:
+- Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run.
+- Alternatively update the allow-scripts section manually.
+- Review each new package to determine whether the install script needs to run or not, testing if necessary.
+- Use `npx can-i-ignore-scripts` to help assessing whether scripts are needed
+
+
 ## Getting Started

 First, run the development server: