Elgato_dark/ToolJet
1
0
Fork 0
mirror of https://github.com/ToolJet/ToolJet synced 2026-04-21 13:37:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Merge pull request #15560 from ToolJet/vulnerability-ci-update-2.0-develop

Browse source
This commit is contained in:
Adish M 2026-03-13 21:03:42 +05:30 committed by GitHub
commit 3821ae520a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 580 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

622
.github/workflows/vulnerability-ci.yml vendored
View file

@ -32,27 +32,109 @@ jobs:
- name: Install dependencies
run: npm --prefix frontend install
- name: Running security audit
- name: Running security audit (before fix)
run: npm --prefix frontend audit --json > Periodic-frontend-audit-before.json
continue-on-error: true
- name: Parse audit summary (before fix)
id: parse-audit-before
run: |
if [ -f Periodic-frontend-audit-before.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit-before.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Attempt to fix vulnerabilities
run: npm --prefix frontend audit fix
continue-on-error: true
- name: Running security audit (after fix)
run: npm --prefix frontend audit --json > Periodic-frontend-audit.json
continue-on-error: true
- name: Parse audit summary
- name: Parse audit summary (after fix)
id: parse-audit
run: |
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
if [ -f Periodic-frontend-audit.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Check for changes
id: check-changes
run: |
git add frontend/package-lock.json
if git diff --staged --quiet; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi
- name: Create Pull Request
if: steps.check-changes.outputs.has_changes == 'true'
id: create-pr
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
add-paths: |
frontend/package-lock.json
commit-message: "fix: automated security fixes for frontend dependencies"
branch: automated-security-fixes/frontend-${{ github.run_id }}
base: lts-3.16
title: "[Security] Automated Dependency Fixes - Frontend"
body: |
## Automated Security Fixes
This PR contains automated dependency updates generated via npm audit fix.
### Scope
Frontend
### Vulnerabilities
**Before:**
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
- High: ${{ steps.parse-audit-before.outputs.high }}
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
**After:**
- Critical: ${{ steps.parse-audit.outputs.critical }}
- High: ${{ steps.parse-audit.outputs.high }}
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
⚠️ Some vulnerabilities may remain and require manual upgrades.
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
Generated by: Vulnerability CI
reviewers: kavinvenkatachalam,johnsoncherian
labels: security,automated
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: Periodic-frontend-audit-report
path: Periodic-frontend-audit.json
retention-days: 7
if-no-files-found: warn
- name: Determine notification color
id: determine-color
@ -74,6 +156,56 @@ jobs:
- name: Send Slack Notification
run: |
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
if [ "$PR_CREATED" == "true" ]; then
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🔧 *Automated Fix PR Created*"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
},
{
"type": "mrkdwn",
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
}
]
}'
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
else
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " *No auto-fixable vulnerabilities found*"
}
}'
fi
payload=$(cat <<EOF
{
"attachments": [
@ -139,7 +271,7 @@ jobs:
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
}
]
},
}${PR_SECTION},
{
"type": "divider"
},
@ -196,27 +328,109 @@ jobs:
- name: Install dependencies
run: npm --prefix server install
- name: Running security audit
- name: Running security audit (before fix)
run: npm --prefix server audit --json > Periodic-server-audit-before.json
continue-on-error: true
- name: Parse audit summary (before fix)
id: parse-audit-before
run: |
if [ -f Periodic-server-audit-before.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit-before.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Attempt to fix vulnerabilities
run: npm --prefix server audit fix
continue-on-error: true
- name: Running security audit (after fix)
run: npm --prefix server audit --json > Periodic-server-audit.json
continue-on-error: true
- name: Parse audit summary
- name: Parse audit summary (after fix)
id: parse-audit
run: |
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
if [ -f Periodic-server-audit.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Check for changes
id: check-changes
run: |
git add server/package-lock.json
if git diff --staged --quiet; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi
- name: Create Pull Request
if: steps.check-changes.outputs.has_changes == 'true'
id: create-pr
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
add-paths: |
server/package-lock.json
commit-message: "fix: automated security fixes for server dependencies"
branch: automated-security-fixes/server-${{ github.run_id }}
base: lts-3.16
title: "[Security] Automated Dependency Fixes - Server"
body: |
## Automated Security Fixes
This PR contains automated dependency updates generated via npm audit fix.
### Scope
Server
### Vulnerabilities
**Before:**
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
- High: ${{ steps.parse-audit-before.outputs.high }}
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
**After:**
- Critical: ${{ steps.parse-audit.outputs.critical }}
- High: ${{ steps.parse-audit.outputs.high }}
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
⚠️ Some vulnerabilities may remain and require manual upgrades.
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
Generated by: Vulnerability CI
reviewers: gsmithun4
labels: security,automated
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: Periodic-server-audit-report
path: Periodic-server-audit.json
retention-days: 7
if-no-files-found: warn
- name: Determine notification color
id: determine-color
@ -238,6 +452,56 @@ jobs:
- name: Send Slack Notification
run: |
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
if [ "$PR_CREATED" == "true" ]; then
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🔧 *Automated Fix PR Created*"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
},
{
"type": "mrkdwn",
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
}
]
}'
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
else
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " *No auto-fixable vulnerabilities found*"
}
}'
fi
payload=$(cat <<EOF
{
"attachments": [
@ -303,7 +567,7 @@ jobs:
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
}
]
},
}${PR_SECTION},
{
"type": "divider"
},
@ -514,7 +778,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: refs/heads/lts-3.16
ref: refs/heads/main
- name: Use Node.js 22.15.1
uses: actions/setup-node@v3
@ -524,27 +788,109 @@ jobs:
- name: Install dependencies
run: npm --prefix plugins install
- name: Running security audit
- name: Running security audit (before fix)
run: npm --prefix plugins audit --json > Periodic-plugins-audit-before.json
continue-on-error: true
- name: Parse audit summary (before fix)
id: parse-audit-before
run: |
if [ -f Periodic-plugins-audit-before.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit-before.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Attempt to fix vulnerabilities
run: npm --prefix plugins audit fix
continue-on-error: true
- name: Running security audit (after fix)
run: npm --prefix plugins audit --json > Periodic-plugins-audit.json
continue-on-error: true
- name: Parse audit summary
- name: Parse audit summary (after fix)
id: parse-audit
run: |
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
if [ -f Periodic-plugins-audit.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Check for changes
id: check-changes
run: |
git add plugins/package-lock.json
if git diff --staged --quiet; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi
- name: Create Pull Request
if: steps.check-changes.outputs.has_changes == 'true'
id: create-pr
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
add-paths: |
plugins/package-lock.json
commit-message: "fix: automated security fixes for plugins dependencies"
branch: automated-security-fixes/plugins-${{ github.run_id }}
base: main
title: "[Security] Automated Dependency Fixes - Plugins"
body: |
## Automated Security Fixes
This PR contains automated dependency updates generated via npm audit fix.
### Scope
Plugins
### Vulnerabilities
**Before:**
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
- High: ${{ steps.parse-audit-before.outputs.high }}
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
**After:**
- Critical: ${{ steps.parse-audit.outputs.critical }}
- High: ${{ steps.parse-audit.outputs.high }}
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
⚠️ Some vulnerabilities may remain and require manual upgrades.
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
Generated by: Vulnerability CI
reviewers: gsmithun4
labels: security,automated
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: Periodic-plugins-audit-report
path: Periodic-plugins-audit.json
retention-days: 7
if-no-files-found: warn
- name: Determine notification color
id: determine-color
@ -566,6 +912,56 @@ jobs:
- name: Send Slack Notification
run: |
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
if [ "$PR_CREATED" == "true" ]; then
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🔧 *Automated Fix PR Created*"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
},
{
"type": "mrkdwn",
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
}
]
}'
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
else
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " *No auto-fixable vulnerabilities found*"
}
}'
fi
payload=$(cat <<EOF
{
"attachments": [
@ -593,7 +989,7 @@ jobs:
},
{
"type": "mrkdwn",
"text": "*Branch:*\\nlts-3.16"
"text": "*Branch:*\\nmain"
},
{
"type": "mrkdwn",
@ -631,7 +1027,7 @@ jobs:
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
}
]
},
}${PR_SECTION},
{
"type": "divider"
},
@ -688,27 +1084,109 @@ jobs:
- name: Install dependencies
run: npm install
- name: Running security audit
- name: Running security audit (before fix)
run: npm audit --json > Periodic-root-audit-before.json
continue-on-error: true
- name: Parse audit summary (before fix)
id: parse-audit-before
run: |
if [ -f Periodic-root-audit-before.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit-before.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Attempt to fix vulnerabilities
run: npm audit fix
continue-on-error: true
- name: Running security audit (after fix)
run: npm audit --json > Periodic-root-audit.json
continue-on-error: true
- name: Parse audit summary
- name: Parse audit summary (after fix)
id: parse-audit
run: |
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
if [ -f Periodic-root-audit.json ]; then
vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit.json)
moderate=$(echo $vulnerabilities | jq '.moderate')
high=$(echo $vulnerabilities | jq '.high')
critical=$(echo $vulnerabilities | jq '.critical')
echo "moderate=$moderate" >> $GITHUB_OUTPUT
echo "high=$high" >> $GITHUB_OUTPUT
echo "critical=$critical" >> $GITHUB_OUTPUT
else
echo "moderate=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "critical=0" >> $GITHUB_OUTPUT
fi
- name: Check for changes
id: check-changes
run: |
git add package-lock.json
if git diff --staged --quiet; then
echo "has_changes=false" >> $GITHUB_OUTPUT
else
echo "has_changes=true" >> $GITHUB_OUTPUT
fi
- name: Create Pull Request
if: steps.check-changes.outputs.has_changes == 'true'
id: create-pr
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
add-paths: |
package-lock.json
commit-message: "fix: automated security fixes for root dependencies"
branch: automated-security-fixes/root-${{ github.run_id }}
base: lts-3.16
title: "[Security] Automated Dependency Fixes - Root"
body: |
## Automated Security Fixes
This PR contains automated dependency updates generated via npm audit fix.
### Scope
Root
### Vulnerabilities
**Before:**
- Critical: ${{ steps.parse-audit-before.outputs.critical }}
- High: ${{ steps.parse-audit-before.outputs.high }}
- Moderate: ${{ steps.parse-audit-before.outputs.moderate }}
**After:**
- Critical: ${{ steps.parse-audit.outputs.critical }}
- High: ${{ steps.parse-audit.outputs.high }}
- Moderate: ${{ steps.parse-audit.outputs.moderate }}
⚠️ Some vulnerabilities may remain and require manual upgrades.
**Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
Generated by: Vulnerability CI
reviewers: gsmithun4
labels: security,automated
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: Periodic-root-audit-report
path: Periodic-root-audit.json
retention-days: 7
if-no-files-found: warn
- name: Determine notification color
id: determine-color
@ -730,6 +1208,56 @@ jobs:
- name: Send Slack Notification
run: |
PR_CREATED="${{ steps.check-changes.outputs.has_changes }}"
PR_URL="${{ steps.create-pr.outputs.pull-request-url }}"
if [ "$PR_CREATED" == "true" ]; then
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🔧 *Automated Fix PR Created*"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<PR_URL_PLACEHOLDER|View Pull Request>"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE"
},
{
"type": "mrkdwn",
"text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE"
}
]
}'
PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}"
PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}"
PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}"
PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}"
PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}"
PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}"
PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}"
else
PR_SECTION=' ,
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " *No auto-fixable vulnerabilities found*"
}
}'
fi
payload=$(cat <<EOF
{
"attachments": [
@ -795,7 +1323,7 @@ jobs:
"text": "📊 *Total:*\\n${{ steps.determine-color.outputs.total }}"
}
]
},
}${PR_SECTION},
{
"type": "divider"
},
@ -868,11 +1396,13 @@ jobs:
echo "critical=$critical" >> $GITHUB_OUTPUT
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: frontend-audit-report
path: frontend-audit.json
retention-days: 7
if-no-files-found: warn
- name: Create or update PR comment
uses: peter-evans/create-or-update-comment@v1
@ -923,11 +1453,13 @@ jobs:
echo "critical=$critical" >> $GITHUB_OUTPUT
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: server-audit-report
path: server-audit.json
retention-days: 7
if-no-files-found: warn
- name: Create or update PR comment
uses: peter-evans/create-or-update-comment@v1
@ -978,11 +1510,13 @@ jobs:
echo "critical=$critical" >> $GITHUB_OUTPUT
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: marketplace-audit-report
path: marketplace-audit.json
retention-days: 7
if-no-files-found: warn
- name: Create or update PR comment
uses: peter-evans/create-or-update-comment@v1
@ -1032,11 +1566,13 @@ jobs:
echo "critical=$critical" >> $GITHUB_OUTPUT
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: plugins-audit-report
path: plugins-audit.json
retention-days: 7
if-no-files-found: warn
- name: Create or update PR comment
uses: peter-evans/create-or-update-comment@v1
@ -1087,11 +1623,13 @@ jobs:
echo "critical=$critical" >> $GITHUB_OUTPUT
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: root-audit-report
path: root-audit.json
retention-days: 7
if-no-files-found: warn
- name: Create or update PR comment
uses: peter-evans/create-or-update-comment@v1