name: Code Analysis (JS/Vue) on: pull_request: push: branches: [ main ] jobs: analyze: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Node versions run: | node -v npm -v - name: Install dependencies run: npm ci - name: Lint run: npm run lint - name: Unit tests run: npm test - name: Build run: npm run build --if-present - name: Semgrep (SAST) run: semgrep --config p/default --error . - name: npm audit (high+) run: npm audit --audit-level=high || true - name: OSV-Scanner (SCA) run: | curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 chmod +x osv-scanner ./osv-scanner --lockfile package-lock.json - name: gitleaks (Secrets Scanning) run: | # Try to get the latest release asset URL ASSET_URL=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep -o '"browser_download_url": "[^"]*linux_x64[^"]*"' | head -1 | cut -d'"' -f4) if [ -z "$ASSET_URL" ]; then # Fallback: construct URL manually VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/') ASSET_URL="https://github.com/gitleaks/gitleaks/releases/download/${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" fi echo "Downloading from: $ASSET_URL" curl -sSL -L "$ASSET_URL" -o gitleaks.tar.gz # Check if download was successful and file is not HTML if [ ! -s gitleaks.tar.gz ] || head -1 gitleaks.tar.gz | grep -q "/dev/null 2>&1; then tar -xzf gitleaks.tar.gz elif tar -tf gitleaks.tar.gz >/dev/null 2>&1; then tar -xf gitleaks.tar.gz else echo "Error: Cannot extract archive. File type:" file gitleaks.tar.gz exit 1 fi chmod +x gitleaks # Remove build artifacts before scanning rm -rf .next .output .nuxt 2>/dev/null || true ./gitleaks detect --source . --no-git --verbose --exit-code 1 rm -f gitleaks.tar.gz