Skip to content

ci: add CVE Lite dependency audit workflow#2819

Open
sonukapoor wants to merge 1 commit into
solidjs:mainfrom
sonukapoor:ci/add-cve-lite-vulnerability-scan
Open

ci: add CVE Lite dependency audit workflow#2819
sonukapoor wants to merge 1 commit into
solidjs:mainfrom
sonukapoor:ci/add-cve-lite-vulnerability-scan

Conversation

@sonukapoor

Copy link
Copy Markdown

This PR adds a CVE Lite dependency audit workflow to help catch vulnerable dependencies before they land in main.

CVE Lite CLI is an OWASP Lab Project that scans lockfiles locally without installing packages. It reads the pnpm lockfile directly, queries the OSV vulnerability database, and classifies findings as direct or transitive so you know exactly what you control. A scan of the current main branch found 34 findings total - 3 critical, 16 high, 14 medium, and 1 low.

The workflow runs on every push to main, every pull request targeting main, and on a weekly schedule every Monday morning. When vulnerabilities at high severity or above are found, the job fails so they do not go unnoticed in CI. Results are also exported as a SARIF file and uploaded to GitHub Code Scanning, which surfaces findings directly on the Security tab with file and line context.

All Actions are pinned to immutable commit SHAs rather than mutable version tags, so the supply chain for the workflow itself is locked down.

A companion PR with direct dependency upgrades is coming separately once this is reviewed.

Full documentation and the OWASP project page are at https://owasp.org/cve-lite-cli

@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 2cc01f7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant