Skip to content

feat(ci): add audit job for security #3042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 6, 2021
Merged

feat(ci): add audit job for security #3042

merged 3 commits into from
Apr 6, 2021

Conversation

jsjoeio
Copy link
Contributor

@jsjoeio jsjoeio commented Apr 5, 2021
edited
Loading

This PR adds a new CI job using audit-ci to check for vulnerabilities using yarn audit.

Inspired by @PatrickDerichs and #2964

NOTE: I don't think audit will pass until #3041 is merged and I rebase.

TODOS

  • refactor based on jawnsy's feedback (add to package.json, add as devDependency and add script to run in CI)

@jsjoeio jsjoeio self-assigned this Apr 5, 2021
@jsjoeio jsjoeio marked this pull request as ready for review April 5, 2021 23:34
@jsjoeio jsjoeio requested a review from a team as a code owner April 5, 2021 23:34
@jsjoeio jsjoeio added this to the v3.9.3 milestone Apr 5, 2021
@jsjoeio jsjoeio marked this pull request as draft April 5, 2021 23:37
jawnsy
jawnsy approved these changes Apr 5, 2021
View reviewed changes
Copy link
Contributor

@jawnsy jawnsy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

I'm curious generally where this tool gets its data from, and why Dependabot seems to have missed some of the flagged issues?

I think we'll need several of these tools because they scan different things and in different ways (this covers us for vulns in code-server itself, but not for other stuff that we include in our code-server docker images, for example)

@jsjoeio jsjoeio force-pushed the jsjoeio/audit-ci branch from 54ca2af to 1dd3b42 Compare April 6, 2021 00:04
@jsjoeio jsjoeio marked this pull request as ready for review April 6, 2021 00:04
@jsjoeio jsjoeio marked this pull request as draft April 6, 2021 00:06
@jsjoeio jsjoeio force-pushed the jsjoeio/audit-ci branch from 1dd3b42 to 6f98e08 Compare April 6, 2021 18:06
@jsjoeio jsjoeio marked this pull request as ready for review April 6, 2021 18:06
@repo-ranger repo-ranger bot merged commit 02beb9b into main Apr 6, 2021
@repo-ranger repo-ranger bot deleted the jsjoeio/audit-ci branch April 6, 2021 19:25
@jsjoeio jsjoeio added the security Security related label May 4, 2021
@jsjoeio jsjoeio added the chore Related to maintenance or clean up label May 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jawnsy jawnsy jawnsy approved these changes

@greyscaled greyscaled greyscaled left review comments

Assignees

@jsjoeio jsjoeio

Labels
chore Related to maintenance or clean up security Security related
Projects
None yet
Milestone
v3.9.3
Development

Successfully merging this pull request may close these issues.
3 participants
@jsjoeio @jawnsy @greyscaled