Skip to content

NodeSecure Continuous Integration

Actions
Pipeline of tools that identify dependencies vulnerabilities and track malicious code
v1.4.1
Latest
Star (9)

NodeSecure CI Action

version Maintenance mit OpenSSF Scorecard build

@nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns.

Please refer to the @nodesecure/ci documentation to see more about the project.

Usage

Add to an existing Workflow

Simply add this action to your workflow

uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1

Add a new dedicated Workflow

Here's a sample complete workflow you can add to your repositories:

.github/workflows/nodesecure.yml

name: "NodeSecure Continuous Integration"
on: [push]

jobs:
  validation:
    name: "Analysis"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
        with:
          strategy: npm
          vulnerabilities: medium
          warnings: off
          reporters: console

In case you don't have a package-lock.json file, it will be necessary to install the dependencies with your package manager:

name: "NodeSecure Continuous Integration"
on: [push]

jobs:
  validation:
    name: "Analysis"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js 18
        uses: actions/setup-node@v3
        with:
          node-version: 18
      - name: install dependencies
        run: npm install
      - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
        with:
          strategy: npm
          vulnerabilities: medium
          warnings: off
          reporters: console

Securing your workflow

You probably want to ensure your GitHub Actions are pinned to a SHA.

Using actions by commit hash reference is a remediation for, when actions are compromised or go under a dependency confusion attack, you are not using the malicious version. This remediation along with using least privilege principle for each action in the workflow, makes it harder for a possible action hijacker to have high access to your repository.

We recommend using https://app.stepsecurity.io/ to secure your workflows (they are able to generate a pull-request and do the heavy lifting for you).

It is also a good practice to enable the update of workflows using dependabot:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Antoine
Antoine

💻
Gentilhomme
Gentilhomme

🚧 👀
Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan

🚧

License

MIT

NodeSecure Continuous Integration is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Pipeline of tools that identify dependencies vulnerabilities and track malicious code
v1.4.1
Latest

NodeSecure Continuous Integration is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.