Skip to content

ci: improve vulnerability scanning — reusable audit action, Trivy for lib, dependency-review gate#303

Merged
gblanc-1a merged 1 commit into
AmadeusITGroup:mainfrom
gblanc-1a:feat/vulnerability-ci-improvement
Jun 26, 2026
Merged

ci: improve vulnerability scanning — reusable audit action, Trivy for lib, dependency-review gate#303
gblanc-1a merged 1 commit into
AmadeusITGroup:mainfrom
gblanc-1a:feat/vulnerability-ci-improvement

Conversation

@gblanc-1a

@gblanc-1a gblanc-1a commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Overhaul CI vulnerability scanning across the three package scopes (extension, website, lib) by introducing a consistent, non-blocking audit comment action, a single repo-wide dependency-review gate for newly introduced vulnerabilities, and Trivy SARIF scanning for the lib workspace.

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • 🔧 Configuration/build changes

Related Issues

Relates to #301

Changes Made

  • New reusable action.github/actions/npm-audit-pr-comment/action.yml: posts (or updates) a PR comment listing pre-existing npm audit findings for a given package scope. Informational only — never blocks the build. Uses paginated comment lookup and a Map to deduplicate advisories by URL.
  • New workflow.github/workflows/dependency-review.yml: single repo-wide gate using actions/dependency-review-action@v4. Only runs when package.json / package-lock.json files change; fails on newly introduced vulnerabilities of severity ≥ moderate.
  • docs.yml — replaced the bare npm audit --audit-level=high step with the new npm-audit-pr-comment action (PR-only, non-blocking). Added pull-requests: write permission.
  • lib-collection-scripts-ci.yml — removed npm audit step; added Trivy fs scan of the lib/ directory with SARIF upload to the GitHub Security tab. Added security-events: write permission.
  • vscode-extension-secure-ci.yml — replaced npm ci --audit + npm audit with the npm-audit-pr-comment action. Added contents: read and pull-requests: write permissions.

Testing

Test Coverage

  • Manual testing completed

Manual Testing Steps

  1. Tested with 3 different PRs on my fork

Tested On

  • Linux (GitHub Actions ubuntu-latest)

Checklist

  • My code follows the project's style guidelines
  • I have performed a self-review of my code
  • My changes generate no new warnings or errors
  • No documentation changes needed

Reviewer Guidelines

Please pay special attention to:

  • The npm-audit-pr-comment action runs only on pull_request events — push/merge builds skip it intentionally.
  • dependency-review.yml is the single gating check for new vulnerabilities; the per-scope audit comments are informational.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache License 2.0.

@github-advanced-security

github-advanced-security AI commented Jun 26, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@gblanc-1a
chore: enhance vulnerability CI workflows
fc183e8 
Introduces a reusable composite action (npm-audit-pr-comment) and wires
up dependency-review-action across all three workflows.

On PRs:
- dependency-review-action posts an inline PR comment listing only newly
  introduced vulnerabilities and fails the check if any are found
- npm-audit-pr-comment posts or updates a PR comment with the full list
  of pre-existing advisories (informational, never blocks the build)

On push to main: existing npm audit steps unchanged (fail hard).

New composite action:
  .github/actions/npm-audit-pr-comment/action.yml
  - Accepts working-directory, audit-flags, label inputs
  - Parses npm audit --json output and formats a markdown table
  - Creates or updates a single comment per label (idempotent via marker)
  - No-ops on non-PR events

Workflows updated:
  docs.yml              — website/, --audit-level=high, fail-on-severity: high
  lib-collection-scripts-ci.yml — lib/, --audit-level=high, fail-on-severity: high
  vscode-extension-secure-ci.yml — root, --omit=dev --audit-level=moderate,
                                    fail-on-severity: moderate
@gblanc-1a gblanc-1a force-pushed the feat/vulnerability-ci-improvement branch from 408f7c8 to fc183e8 Compare June 26, 2026 08:22
@mvgadagi mvgadagi self-requested a review June 26, 2026 09:17
mvgadagi
mvgadagi approved these changes Jun 26, 2026
View reviewed changes

@mvgadagi mvgadagi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It LGTM @gblanc-1a 🤟 thanks for contribution, the dependency-review workflow is good move 💂

@gblanc-1a gblanc-1a merged commit 3049480 into AmadeusITGroup:main Jun 26, 2026
3 checks passed
@github-project-automation github-project-automation Bot moved this from Backlog to Done in Prompt Registry Jun 26, 2026
@gblanc-1a gblanc-1a deleted the feat/vulnerability-ci-improvement branch June 26, 2026 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mvgadagi mvgadagi mvgadagi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Prompt Registry
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gblanc-1a @github-advanced-security @mvgadagi