Skip to content

NodeSecure/ci-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

NodeSecure CI Action

version Maintenance mit OpenSSF Scorecard build

@nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns.

Please refer to the @nodesecure/ci documentation to see more about the project.

Usage

Add to an existing Workflow

Simply add this action to your workflow

uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1

Add a new dedicated Workflow

Here's a sample complete workflow you can add to your repositories:

.github/workflows/nodesecure.yml

name: "NodeSecure Continuous Integration"
on: [push]

jobs:
  validation:
    name: "Analysis"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
        with:
          strategy: npm
          vulnerabilities: medium
          warnings: off
          reporters: console

In case you don't have a package-lock.json file, it will be necessary to install the dependencies with your package manager:

name: "NodeSecure Continuous Integration"
on: [push]

jobs:
  validation:
    name: "Analysis"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js 18
        uses: actions/setup-node@v3
        with:
          node-version: 18
      - name: install dependencies
        run: npm install
      - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
        with:
          strategy: npm
          vulnerabilities: medium
          warnings: off
          reporters: console

Securing your workflow

You probably want to ensure your GitHub Actions are pinned to a SHA.

Using actions by commit hash reference is a remediation for, when actions are compromised or go under a dependency confusion attack, you are not using the malicious version. This remediation along with using least privilege principle for each action in the workflow, makes it harder for a possible action hijacker to have high access to your repository.

We recommend using https://app.stepsecurity.io/ to secure your workflows (they are able to generate a pull-request and do the heavy lifting for you).

It is also a good practice to enable the update of workflows using dependabot:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Antoine
Antoine
💻		 Gentilhomme
Gentilhomme
🚧 👀		 Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan
🚧

License

MIT

About

The official GitHub action of the @nodesecure/ci package

github.com/marketplace/actions/nodesecure-continuous-integration

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

9 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases 5

v1.4.1 Latest
Sep 2, 2022
+ 4 releases

Contributors 9

Languages