Addition of action that runs the CodeQL static application security testing tool. This tool identifies security bugs and unsafe coding practices and supports a range of languages. In this case, it's configured to JS/TS
Addition of action that runs Trivy in repository mode. This tools scans dependencies in the software composition and reports on any vulnerable dependencies with fixes available. If a critical vulnerability with fix is found - the job fails. For lower severities, it warns and logs (this can be tweaked).
Both CodeQL and Trivy logs security issues in the GitHub security tab where the team can get context related to an issue and decide course of action with audit trail.
riordanp
commented
2 years ago
Contents of the PR
Addition of action that runs the CodeQL static application security testing tool. This tool identifies security bugs and unsafe coding practices and supports a range of languages. In this case, it's configured to JS/TS
Addition of action that runs Trivy in repository mode. This tools scans dependencies in the software composition and reports on any vulnerable dependencies with fixes available. If a critical vulnerability with fix is found - the job fails. For lower severities, it warns and logs (this can be tweaked).
Both CodeQL and Trivy logs security issues in the GitHub security tab where the team can get context related to an issue and decide course of action with audit trail.