torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
111c8c239c8e6b4913074cdf416df3a7c6371b5d
harheimertc/.gitea/workflows/code-analysis.yml
Torsten Schulz (local) 111c8c239c
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 3m34s
Details
Refactor code analysis workflow by adding gitleaks detection command and removing obsolete output files to streamline the build process and enhance security checks.
2025-12-20 15:29:58 +01:00

76 lines
2.5 KiB
YAML
Raw Blame History

name: Code Analysis (JS/Vue)
on:
pull_request:
push:
branches: [ main ]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Node versions
run: |
node -v
npm -v
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint
- name: Unit tests
run: npm test
- name: Build
run: npm run build --if-present
- name: Semgrep (SAST)
run: semgrep --config p/default --error .
- name: npm audit (high+)
run: npm audit --audit-level=high || true
- name: OSV-Scanner (SCA)
run: |
curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
chmod +x osv-scanner
./osv-scanner --lockfile package-lock.json
- name: gitleaks (Secrets Scanning)
run: |
# Try to get the latest release asset URL
ASSET_URL=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep -o '"browser_download_url": "[^"]*linux_x64[^"]*"' | head -1 | cut -d'"' -f4)
if [ -z "$ASSET_URL" ]; then
# Fallback: construct URL manually
VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
ASSET_URL="https://github.com/gitleaks/gitleaks/releases/download/${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz"
fi
echo "Downloading from: $ASSET_URL"
curl -sSL -L "$ASSET_URL" -o gitleaks.tar.gz
# Check if download was successful and file is not HTML
if [ ! -s gitleaks.tar.gz ] || head -1 gitleaks.tar.gz | grep -q "<!DOCTYPE html"; then
echo "Error: Downloaded file is not a valid archive (might be HTML page)"
head -5 gitleaks.tar.gz
exit 1
fi
# Try different extraction methods
if tar -tzf gitleaks.tar.gz >/dev/null 2>&1; then
tar -xzf gitleaks.tar.gz
elif tar -tf gitleaks.tar.gz >/dev/null 2>&1; then
tar -xf gitleaks.tar.gz
else
echo "Error: Cannot extract archive. File type:"
file gitleaks.tar.gz
exit 1
fi
chmod +x gitleaks
# Remove build artifacts before scanning
rm -rf .next .output .nuxt 2>/dev/null || true
./gitleaks detect --source . --no-git --verbose --exit-code 1
rm -f gitleaks.tar.gz
Reference in New Issue View Git Blame Copy Permalink