Skip to content
shield

GitHub Action

NodeSecure Continuous Integration

v1.4.1 Latest version

NodeSecure Continuous Integration

shield

NodeSecure Continuous Integration

Pipeline of tools that identify dependencies vulnerabilities and track malicious code

Installation

Copy and paste the following snippet into your .yml file.

              

- name: NodeSecure Continuous Integration

uses: NodeSecure/[email protected]

Learn more about this action in NodeSecure/ci-action

Choose a version

NodeSecure CI Action

version Maintenance mit OpenSSF Scorecard build

@nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns.

Please refer to the @nodesecure/ci documentation to see more about the project.

Usage

Add to an existing Workflow

Simply add this action to your workflow

uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1

Add a new dedicated Workflow

Here's a sample complete workflow you can add to your repositories:

.github/workflows/nodesecure.yml

name: "NodeSecure Continuous Integration"
on: [push]

jobs:
  validation:
    name: "Analysis"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
        with:
          strategy: npm
          vulnerabilities: medium
          warnings: off
          reporters: console

In case you don't have a package-lock.json file, it will be necessary to install the dependencies with your package manager:

name: "NodeSecure Continuous Integration"
on: [push]

jobs:
  validation:
    name: "Analysis"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js 18
        uses: actions/setup-node@v3
        with:
          node-version: 18
      - name: install dependencies
        run: npm install
      - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c #1.4.1
        with:
          strategy: npm
          vulnerabilities: medium
          warnings: off
          reporters: console

Securing your workflow

You probably want to ensure your GitHub Actions are pinned to a SHA.

Using actions by commit hash reference is a remediation for, when actions are compromised or go under a dependency confusion attack, you are not using the malicious version. This remediation along with using least privilege principle for each action in the workflow, makes it harder for a possible action hijacker to have high access to your repository.

We recommend using https://app.stepsecurity.io/ to secure your workflows (they are able to generate a pull-request and do the heavy lifting for you).

It is also a good practice to enable the update of workflows using dependabot:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Antoine
Antoine

💻
Gentilhomme
Gentilhomme

🚧 👀
Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan

🚧

License

MIT