CI: Scan for vulnerabilities in your project dependencies
Draft Disclaimer: Please note that this article is currently in draft form and may undergo revisions before final publication. The content, including information, opinions, and recommendations, is subject to change and may not represent the final version. We appreciate your understanding and patience as we work to refine and improve the quality of this article. Your feedback is valuable in shaping the final release.
Language Mismatch Disclaimer: Please be aware that the language of this article may not match the language settings of your browser or device.
Do you want to read articles in English instead ?
NPM security fix
npm install --package-lock-only npm audit fix rm yarn.lock yarn import rm package-lock.json
PHP security fix
curl -O https://get.sensiolabs.org/security-checker.phar composer config -g github-oauth.github.com ${{ secrets.ACCESS_TOKEN }} composer update --prefer-dist --no-interaction php security-checker.phar security:check -n composer.lock
Dependabot doing it all
Post acquisition by Github of Dependabot, we now have security checks for both composer, npm and many more out of the box by simply adding .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
labels:
- "dependencies"
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "daily"
labels:
- "dependencies"
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
labels:
- "dependencies"
Dependabot.yml
- not a workflow (ie not
.github/workflows/dependabot.yml) - put PR for deps update
- composer
- nom
- GitHub action used
- auto merge if wanted
- security patch auto applied
- cons ?
