From 2cc01f792b76b13f16c13a9b2ead02625c083d8e Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Fri, 3 Jul 2026 12:29:08 -0400 Subject: [PATCH] ci: add CVE Lite dependency audit workflow --- .github/workflows/cve-lite.yml | 36 ++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/cve-lite.yml diff --git a/.github/workflows/cve-lite.yml b/.github/workflows/cve-lite.yml new file mode 100644 index 000000000..a5e7c7a35 --- /dev/null +++ b/.github/workflows/cve-lite.yml @@ -0,0 +1,36 @@ +name: CVE Lite dependency audit + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' + +permissions: + contents: read + security-events: write + +jobs: + scan: + name: Scan dependencies + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan for vulnerabilities + uses: OWASP/cve-lite-cli@2eed959b8641042472d2810444393b88d5454e62 # v1 + with: + fail-on: high + sarif: 'true' + + - name: Upload SARIF to Code Scanning + if: always() && hashFiles('*.sarif') != '' + uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + with: + sarif_file: cve-lite-*.sarif + category: cve-lite