Add CI security scanning (#14) #37
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!37
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "14-ci-security-scanning"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #14.
Summary
.forgejo/workflows/pr.yml:npm_audit— production deps only (--omit=dev)osv_scan— OSV-Scanner v1.9.2 binary, pinned, againstpackage-lock.jsonimage_scan— Trivy 0.58.1 against a locally-builtcarol-service:scanimage (uses the:act-24.04runner image because it ships the Docker CLI)SECURITY_SEVERITY_THRESHOLD: high. All three scanners read it throughscripts/ci/security-summary.mjs, which normalizes each scanner's severity scale (npm'smoderate→medium, OSV's CVSS-score fallback, Trivy's uppercase) into one four-level scale.$GITHUB_STEP_SUMMARY— count by severity, then per-finding rows with package, advisory link, installed/range, fix version. Not buried in raw step logs.highthreshold rationale, and alternatives considered (Snyk, audit-ci, Grype, CodeQL, per-scanner native flags as the gate, warn-only mode).Bundled: Kysely 0.27.6 → 0.29.2
npm auditagainst the current lockfile flags Kysely with three high-severity SQL-injection advisories (GHSA-wmrf-hv6w-mr66, GHSA-8cpq-38p9-67gx, GHSA-pv5w-4p9q-p3v2). Without the bump the new gate would block every PR after this one lands. Fix lands here so #14 ships in a coherent state.Kysely 0.29 moved
MigratorandMigrationtypes to akysely/migrationsubpath;db/migrator.tsanddb/migrations/001_example.tsfollow the new import.Branch-name note
The original branch
19-ci-security-scanningwas mis-numbered. This PR is on14-ci-security-scanning(matches the ticket).Test plan
highon a clean treenpm install lodash@4.17.20trips bothnpm_auditandosv_scanwith populated tables; revertSECURITY_SEVERITY_THRESHOLD: criticalretunes all three gates without further edits🤖 Generated with Claude Code
93829530d5f6a810106b