Add dependency scan for Ruby, npm, Docker, and GitHub Actions#3582
Open
zinduolis wants to merge 3 commits into
Open
Add dependency scan for Ruby, npm, Docker, and GitHub Actions#3582zinduolis wants to merge 3 commits into
zinduolis wants to merge 3 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Thanks for submitting a PR! Please fill in this template where appropriate:
Category
CI / Tooling (GitHub Actions workflow)
Feature/Issue Description
Q: Please give a brief summary of your feature/fix
A: Adds a non-blocking GitHub Actions workflow that scans the project's dependencies for vulnerabilities and outdated versions on every PR to
master, covering all the technologies the project uses — Ruby gems, npm packages, the Dockerfile, and the GitHub Actions workflows. Findings are reported to the run's Step Summary. Scan steps never fail the build, so the PR check stays green even when issues are found.Q: Give a technical rundown of what you have changed (if applicable)
A: Adds
.github/workflows/dependency-scan.yml— a single job onubuntu-latest, triggered bypull_requesttomaster, with least-privilegepermissions: contents: read:bundler-audit(DB refreshed first) for vulnerabilities,bundle outdatedfor currency.npm auditandnpm outdated(deps here are dev-only tooling: eslint/jsdoc).hadolint(checksum-pinned binary).actionlint(checksum-pinned binary).$GITHUB_STEP_SUMMARY.Setup/prep steps (downloads, checksum verification,
bundle audit update,npm ci) fail loudly so a broken environment can't produce a silent false pass, while the scan commands use|| trueto stay non-blocking. Alluses:actions are pinned to full commit SHAs (with version comments) and both binaries are SHA256-verified.Test Cases
Q: Describe your test cases, what you have covered and if there are any use cases that still need addressing.
A: Validated the workflow YAML syntax and verified on a test PR to
masterthat the run completes green even when vulnerabilities/outdated dependencies are present, with all four sections (Ruby, npm, Dockerfile, GitHub Actions) rendering in the Summary tab. Confirmed checksum mismatches and prep failures fail their step rather than passing silently. Not yet addressed: binary checksums are pinned to the current linux x86_64/amd64 assets (a runner arch change would require updating them), and findings surface only in the Step Summary, which is the intended scope.Wiki Page
N/A — the workflow is self-contained and documented via inline comments and this PR.