Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
version: 2
updates:
# Application dependencies. Production and development updates are grouped
# separately so security-relevant runtime bumps are easy to review on their own.
- package-ecosystem: npm
directory: '/'
schedule:
interval: weekly
open-pull-requests-limit: 10
groups:
production-dependencies:
dependency-type: production
development-dependencies:
dependency-type: development

# Keep CI action versions current and patched.
- package-ecosystem: github-actions
directory: '/'
schedule:
interval: weekly

# Keep the pinned base-image digest in the Dockerfile fresh.
- package-ecosystem: docker
directory: '/'
schedule:
interval: weekly
49 changes: 49 additions & 0 deletions .github/workflows/security.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Security

on:
pull_request:
push:
branches:
- main
schedule:
# Weekly, so advisories on unchanged code are still surfaced.
- cron: '0 6 * * 1'

permissions:
contents: read

jobs:
npm-audit:
name: npm audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
# Hard gate: fail on critical advisories in what actually ships (prod deps).
- name: Audit production dependencies (gate on critical)
run: npm audit --omit=dev --audit-level=critical
# Informational: surface the full picture (incl. dev tooling) without blocking.
- name: Full audit (informational)
run: npm audit || true

sbom:
name: SBOM
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate CycloneDX SBOM
continue-on-error: true
uses: anchore/sbom-action@v0
with:
path: .
format: cyclonedx-json
output-file: sbom.cyclonedx.json
- name: Upload SBOM artifact
continue-on-error: true
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.cyclonedx.json
Loading