ci: add CVE Lite dependency audit workflow#2819
Open
sonukapoor wants to merge 1 commit into
Open
Conversation
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a CVE Lite dependency audit workflow to help catch vulnerable dependencies before they land in main.
CVE Lite CLI is an OWASP Lab Project that scans lockfiles locally without installing packages. It reads the pnpm lockfile directly, queries the OSV vulnerability database, and classifies findings as direct or transitive so you know exactly what you control. A scan of the current main branch found 34 findings total - 3 critical, 16 high, 14 medium, and 1 low.
The workflow runs on every push to main, every pull request targeting main, and on a weekly schedule every Monday morning. When vulnerabilities at high severity or above are found, the job fails so they do not go unnoticed in CI. Results are also exported as a SARIF file and uploaded to GitHub Code Scanning, which surfaces findings directly on the Security tab with file and line context.
All Actions are pinned to immutable commit SHAs rather than mutable version tags, so the supply chain for the workflow itself is locked down.
A companion PR with direct dependency upgrades is coming separately once this is reviewed.
Full documentation and the OWASP project page are at https://owasp.org/cve-lite-cli