Merge pull request #3042 from cdr/jsjoeio/audit-ci

feat(ci): add audit job for security

Author: repo-ranger[bot]

.github/workflows/ci.yaml

@@ -27,6 +27,15 @@ jobs:
         with:
           args: ./ci/steps/lint.sh
 
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Audit for vulnerabilities
+        uses: ./ci/images/debian10
+        with:
+          args: ./ci/steps/audit.sh
+
   test-unit:
     runs-on: ubuntu-latest
     steps:

ci/dev/audit.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../.."
+
+  # Prevents integration with moderate or higher vulnerabilities
+  # Docs: https://github.com/IBM/audit-ci#options
+  yarn audit-ci --moderate
+}
+
+main "$@"

ci/dev/ci.sh

@@ -6,6 +6,7 @@ main() {
 
   yarn fmt
   yarn lint
+  yarn _audit
   yarn test:unit
 }
 

ci/steps/audit.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../.."
+
+  yarn --frozen-lockfile
+
+  yarn _audit
+}
+
+main "$@"

package.json

@@ -24,6 +24,7 @@
     "postinstall": "./ci/dev/postinstall.sh",
     "update:vscode": "./ci/dev/update-vscode.sh",
     "_____": "",
+    "_audit": "./ci/dev/audit.sh",
     "fmt": "./ci/dev/fmt.sh",
     "lint": "./ci/dev/lint.sh",
     "test": "echo 'Run yarn test:unit or yarn test:e2e' && exit 1",
@@ -54,6 +55,7 @@
     "@types/wtfnode": "^0.7.0",
     "@typescript-eslint/eslint-plugin": "^4.7.0",
     "@typescript-eslint/parser": "^4.7.0",
+    "audit-ci": "^3.1.1",
     "doctoc": "^2.0.0",
     "eslint": "^7.7.0",
     "eslint-config-prettier": "^8.1.0",