Reorganize code analysis workflow to run gitleaks scan before installing dependencies, ensuring more accurate results and maintaining a cleaner environment for subsequent analysis steps.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 8s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 8s
This commit is contained in:
Torsten Schulz (local)
@@ -17,30 +17,6 @@ jobs:
|
|||||||
node -v
|
node -v
|
||||||
npm -v
|
npm -v
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
run: npm ci
|
|
||||||
|
|
||||||
- name: Lint
|
|
||||||
run: npm run lint
|
|
||||||
|
|
||||||
- name: Unit tests
|
|
||||||
run: npm test
|
|
||||||
|
|
||||||
- name: Build
|
|
||||||
run: npm run build --if-present
|
|
||||||
|
|
||||||
- name: Semgrep (SAST)
|
|
||||||
run: semgrep --config p/default --error .
|
|
||||||
|
|
||||||
- name: npm audit (high+)
|
|
||||||
run: npm audit --audit-level=high || true
|
|
||||||
|
|
||||||
- name: OSV-Scanner (SCA)
|
|
||||||
run: |
|
|
||||||
curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
|
|
||||||
chmod +x osv-scanner
|
|
||||||
./osv-scanner --lockfile package-lock.json
|
|
||||||
|
|
||||||
- name: gitleaks (Secrets Scanning)
|
- name: gitleaks (Secrets Scanning)
|
||||||
run: |
|
run: |
|
||||||
# Try to get the latest release asset URL
|
# Try to get the latest release asset URL
|
||||||
@@ -69,7 +45,30 @@ jobs:
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
chmod +x gitleaks
|
chmod +x gitleaks
|
||||||
# Remove build artifacts and node_modules before scanning
|
# Run gitleaks scan BEFORE installing dependencies to avoid false positives from node_modules
|
||||||
rm -rf .next .output .nuxt node_modules 2>/dev/null || true
|
|
||||||
./gitleaks detect --source . --no-git --verbose --exit-code 1
|
./gitleaks detect --source . --no-git --verbose --exit-code 1
|
||||||
rm -f gitleaks.tar.gz
|
rm -f gitleaks.tar.gz
|
||||||
|
|
||||||
|
- name: Install dependencies
|
||||||
|
run: npm ci
|
||||||
|
|
||||||
|
- name: Lint
|
||||||
|
run: npm run lint
|
||||||
|
|
||||||
|
- name: Unit tests
|
||||||
|
run: npm test
|
||||||
|
|
||||||
|
- name: Build
|
||||||
|
run: npm run build --if-present
|
||||||
|
|
||||||
|
- name: Semgrep (SAST)
|
||||||
|
run: semgrep --config p/default --error .
|
||||||
|
|
||||||
|
- name: npm audit (high+)
|
||||||
|
run: npm audit --audit-level=high || true
|
||||||
|
|
||||||
|
- name: OSV-Scanner (SCA)
|
||||||
|
run: |
|
||||||
|
curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
|
||||||
|
chmod +x osv-scanner
|
||||||
|
./osv-scanner --lockfile package-lock.json
|
||||||
|
|||||||
Reference in New Issue
Block a user