feat: add license and vulnerability scanner (#66)

Co-authored-by: Richard Treier <richard.treier@sovity.de>
sovity · Jan 26, 2023 · a291c4e · a291c4e
1 parent f5ccc42
commit a291c4e
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 6 deletions.
diff --git a/.github/license_scan_config.yml b/.github/license_scan_config.yml
@@ -0,0 +1,14 @@
+format: table
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true
+scan:
+  security-checks:
+    - license
+license-full: true
+severity:
+  - UNKNOWN
+  - HIGH
+  - CRITICAL
diff --git a/.github/workflows/license_scan.yml b/.github/workflows/license_scan.yml
@@ -0,0 +1,38 @@
+name: Trivy License Scans
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+
+jobs:
+  license_scan:
+    name: license_scan
+    runs-on: ubuntu-20.04
+    timeout-minutes: 30
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+          cache: 'npm'
+          cache-dependency-path: 'package-lock.json'
+
+      - name: Run license scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'rootfs'
+          scan-ref: '.'
+          trivy-config: ".github/license_scan_config.yml"
+          exit-code: 1
+
+      - name: Run vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          security-checks: vuln, config
+          severity: CRITICAL
+          exit-code: 1
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,3 @@
+# This concerns the dev dependency @angular-devkit/build-angular.
+# This dependency uses webpack-merge@5.8.0 that uses wildcard which uses minimist 1.2.0 (which is causing the error)
+CVE-2021-44906
diff --git a/package-lock.json b/package-lock.json