chore(deps): bump @opentelemetry/sdk-node from 0.212.0 to 0.214.0 #376
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| - cron: '0 2 * * *' # Daily at 2 AM UTC | |
| permissions: | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| jobs: | |
| npm-audit: | |
| name: NPM Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run npm audit | |
| id: npm-audit | |
| run: | | |
| npm audit --json > npm-audit-results.json || true | |
| npm audit --audit-level=high | |
| continue-on-error: false | |
| - name: Upload npm audit results | |
| if: always() | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: npm-audit-results | |
| path: npm-audit-results.json | |
| retention-days: 30 | |
| python-audit: | |
| name: Python Security Audit | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| requirements: | |
| - python-sdk/requirements.txt | |
| - evaluation/requirements.txt | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.12' | |
| - name: Install pip-audit | |
| run: pip install pip-audit | |
| - name: Run pip-audit | |
| id: pip-audit | |
| run: | | |
| pip-audit --requirement ${{ matrix.requirements }} --format json > pip-audit-${{ matrix.requirements }}.json || true | |
| pip-audit --requirement ${{ matrix.requirements }} --vulnerability-service osv | |
| continue-on-error: false | |
| - name: Upload pip audit results | |
| if: always() | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: pip-audit-results-${{ matrix.requirements }} | |
| path: pip-audit-${{ matrix.requirements }}.json | |
| retention-days: 30 | |
| trivy-scan: | |
| name: Trivy Security Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy vulnerability scanner (filesystem) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| exit-code: '0' | |
| skip-dirs: 'node_modules,.git,.cache,.trivy,coordination/embeddings/cache' | |
| timeout: '15m' | |
| - name: Run Trivy vulnerability scanner (JSON output) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'json' | |
| output: 'trivy-results.json' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| exit-code: '0' | |
| skip-dirs: 'node_modules,.git,.cache,.trivy,coordination/embeddings/cache' | |
| timeout: '15m' | |
| - name: Check for critical/high vulnerabilities | |
| run: | | |
| CRITICAL=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' trivy-results.json) | |
| HIGH=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="HIGH")] | length' trivy-results.json) | |
| echo "Critical vulnerabilities: $CRITICAL" | |
| echo "High vulnerabilities: $HIGH" | |
| if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then | |
| echo "ERROR: Found $CRITICAL critical and $HIGH high severity vulnerabilities" | |
| exit 1 | |
| fi | |
| - name: Upload Trivy results to GitHub Security | |
| if: always() && github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| continue-on-error: true | |
| - name: Upload Trivy scan results | |
| if: always() | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: trivy-scan-results | |
| path: | | |
| trivy-results.json | |
| trivy-results.sarif | |
| retention-days: 30 | |
| sbom-generation: | |
| name: Generate SBOM | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Install Syft | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Generate SBOM (SPDX format) | |
| run: | | |
| syft dir:. -o spdx-json=sbom-spdx.json | |
| - name: Generate SBOM (CycloneDX format) | |
| run: | | |
| syft dir:. -o cyclonedx-json=sbom-cyclonedx.json | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: sbom-artifacts | |
| path: | | |
| sbom-spdx.json | |
| sbom-cyclonedx.json | |
| retention-days: 90 | |
| - name: Scan SBOM with Grype | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
| grype sbom:sbom-spdx.json -o json > grype-results.json || true | |
| grype sbom:sbom-spdx.json --fail-on critical | |
| continue-on-error: false | |
| - name: Upload Grype results | |
| if: always() | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: grype-scan-results | |
| path: grype-results.json | |
| retention-days: 30 | |
| security-summary: | |
| name: Security Scan Summary | |
| runs-on: ubuntu-latest | |
| needs: [npm-audit, python-audit, trivy-scan, sbom-generation] | |
| if: always() | |
| steps: | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v7 | |
| - name: Generate security summary | |
| run: | | |
| echo "# Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Scan Date: $(date -u)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| # NPM Audit Summary | |
| if [ -f npm-audit-results/npm-audit-results.json ]; then | |
| VULNERABILITIES=$(jq '.metadata.vulnerabilities' npm-audit-results/npm-audit-results.json) | |
| echo "### NPM Audit" >> $GITHUB_STEP_SUMMARY | |
| echo '```json' >> $GITHUB_STEP_SUMMARY | |
| echo "$VULNERABILITIES" >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| # Trivy Summary | |
| if [ -f trivy-scan-results/trivy-results.json ]; then | |
| CRITICAL=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' trivy-scan-results/trivy-results.json) | |
| HIGH=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="HIGH")] | length' trivy-scan-results/trivy-results.json) | |
| MEDIUM=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="MEDIUM")] | length' trivy-scan-results/trivy-results.json) | |
| echo "### Trivy Scan" >> $GITHUB_STEP_SUMMARY | |
| echo "- Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY | |
| echo "- High: $HIGH" >> $GITHUB_STEP_SUMMARY | |
| echo "- Medium: $MEDIUM" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| echo "## Artifacts Generated" >> $GITHUB_STEP_SUMMARY | |
| echo "- NPM Audit Results" >> $GITHUB_STEP_SUMMARY | |
| echo "- Python Audit Results" >> $GITHUB_STEP_SUMMARY | |
| echo "- Trivy Scan Results (SARIF + JSON)" >> $GITHUB_STEP_SUMMARY | |
| echo "- SBOM (SPDX + CycloneDX)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Grype Scan Results" >> $GITHUB_STEP_SUMMARY |