NodeSecure/ci-action

Use this GitHub action with your project

Add this Action to an existing workflow or create a new one

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 76 Commits
.github		.github
src		src
.all-contributorsrc		.all-contributorsrc
.gitignore		.gitignore
.npmrc		.npmrc
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
action.yml		action.yml
index.js		index.js
package.json		package.json

Repository files navigation

NodeSecure CI Action

version Maintenance mit OpenSSF Scorecard build

@nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns.

Please refer to the @nodesecure/ci documentation to see more about the project.

Usage

Add to an existing Workflow

Simply add this action to your workflow

uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1

Add a new dedicated Workflow

Here's a sample complete workflow you can add to your repositories:

.github/workflows/nodesecure.yml

name: "NodeSecure Continuous Integration"
on: [push]
jobs:
 validation:
 name: "Analysis"
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v3
 - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
 with:
 strategy: npm
 vulnerabilities: medium
 warnings: off
 reporters: console

In case you don't have a package-lock.json file, it will be necessary to install the dependencies with your package manager:

name: "NodeSecure Continuous Integration"
on: [push]
jobs:
 validation:
 name: "Analysis"
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v3
 - name: Use Node.js 18
 uses: actions/setup-node@v3
 with:
 node-version: 18
 - name: install dependencies
 run: npm install
 - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
 with:
 strategy: npm
 vulnerabilities: medium
 warnings: off
 reporters: console

Securing your workflow

You probably want to ensure your GitHub Actions are pinned to a SHA.

Using actions by commit hash reference is a remediation for, when actions are compromised or go under a dependency confusion attack, you are not using the malicious version. This remediation along with using least privilege principle for each action in the workflow, makes it harder for a possible action hijacker to have high access to your repository.

We recommend using https://app.stepsecurity.io/ to secure your workflows (they are able to generate a pull-request and do the heavy lifting for you).

It is also a good practice to enable the update of workflows using dependabot:

version: 2
updates:
 - package-ecosystem: "github-actions"
 directory: "/"
 schedule:
 interval: "daily"

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Antoine
_Antoine
💻 Gentilhomme
_Gentilhomme
🚧 👀 Kouadio Fabrice Nguessan
_{Kouadio Fabrice Nguessan}
🚧

License

MIT

About

The official GitHub action of the @nodesecure/ci package

github.com/marketplace/actions/nodesecure-continuous-integration

Resources

Readme

License

MIT license

Contributing

Releases 5

v1.4.1 Latest

Sep 2, 2022

+ 4 releases

Contributors 9

Languages

JavaScript 100.0%

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

License

Uh oh!

NodeSecure/ci-action

Folders and files

Latest commit

History

Repository files navigation

NodeSecure CI Action

Usage

Add to an existing Workflow

Add a new dedicated Workflow

Securing your workflow

Contributors ✨

License

About

Resources

License

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 5

Uh oh!

Contributors 9

Uh oh!

Languages