Skip to content

ci: add security scanning workflow (npm audit, Trivy, SBOM)#63

Open
dogukandemirci-software-engineer wants to merge 1 commit into
hepsiburada:masterfrom
dogukandemirci-software-engineer:ci/add-security-scanning
Open

ci: add security scanning workflow (npm audit, Trivy, SBOM)#63
dogukandemirci-software-engineer wants to merge 1 commit into
hepsiburada:masterfrom
dogukandemirci-software-engineer:ci/add-security-scanning

Conversation

@dogukandemirci-software-engineer

Copy link
Copy Markdown

What

This PR introduces a dedicated security.yml GitHub Actions workflow that adds three security gates currently absent from the project.

Why

The repository currently has no CI at all. Without automated dependency scanning, HIGH/CRITICAL CVEs in npm packages can silently reach production. This is a minimal, non-breaking addition that brings the project in line with supply-chain security best practices.

Changes

.github/workflows/security.yml — three parallel jobs:

Job Tool Purpose
npm-audit npm audit Fail on HIGH/CRITICAL severity npm dependency vulnerabilities
trivy-fs Trivy 0.28 Filesystem scan; results uploaded as SARIF to the GitHub Security tab
sbom Trivy (CycloneDX) Generate a Software Bill of Materials artifact retained for 90 days

.trivy.yaml — Trivy config that skips node_modules/, dist/, and coverage/ to keep results focused on source-level findings.

Trigger schedule: runs on every push/PR and weekly (Monday 08:00 UTC) so newly published CVEs are caught between releases.

Test plan

  • Workflow syntax validated locally
  • npm audit --audit-level=high exits 0 on current lockfile
  • Trivy scan completes without blocking HIGH/CRITICAL findings
  • SBOM artifact is generated and downloadable from the Actions run

Introduces a dedicated security.yml GitHub Actions workflow with three
security gates that were previously absent from the project:

- npm-audit: runs `npm audit --audit-level=high` to catch HIGH/CRITICAL
  vulnerabilities in JavaScript dependencies
- trivy-fs: Trivy filesystem scan for HIGH/CRITICAL CVEs; results are
  uploaded as SARIF to the GitHub Security tab for triage
- sbom: generates a CycloneDX Software Bill of Materials artifact
  retained for 90 days for supply-chain compliance

Adds .trivy.yaml to skip node_modules, dist, and coverage directories
so scan output stays focused on source-level findings.

The workflow triggers on push/PR and on a weekly cron schedule so that
newly disclosed CVEs are caught between releases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant