name: Vulnerability CI # Controls when the workflow will run on: pull_request: types: [labeled, unlabeled, closed] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: # Schedule the workflow to run weekly every Monday at 5:30 AM UTC schedule: - cron: "30 5 * * 1" jobs: PeriodicVulnerability-CheckOn-frontend-code: if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v3 with: ref: refs/heads/lts-3.16 - name: Use Node.js 22.15.1 uses: actions/setup-node@v3 with: node-version: 22.15.1 - name: Install dependencies run: npm --prefix frontend install - name: Running security audit (before fix) run: npm --prefix frontend audit --json > Periodic-frontend-audit-before.json continue-on-error: true - name: Parse audit summary (before fix) id: parse-audit-before run: | if [ -f Periodic-frontend-audit-before.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit-before.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Attempt to fix vulnerabilities run: npm --prefix frontend audit fix continue-on-error: true - name: Running security audit (after fix) run: npm --prefix frontend audit --json > Periodic-frontend-audit.json continue-on-error: true - name: Parse audit summary (after fix) id: parse-audit run: | if [ -f Periodic-frontend-audit.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-frontend-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Check for changes id: check-changes run: | git add frontend/package-lock.json if git diff --staged --quiet; then echo "has_changes=false" >> $GITHUB_OUTPUT else echo "has_changes=true" >> $GITHUB_OUTPUT fi - name: Create Pull Request if: steps.check-changes.outputs.has_changes == 'true' id: create-pr uses: peter-evans/create-pull-request@v5 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | frontend/package-lock.json commit-message: "fix: automated security fixes for frontend dependencies" branch: automated-security-fixes/frontend-${{ github.run_id }} base: lts-3.16 title: "[Security] Automated Dependency Fixes - Frontend" body: | ## Automated Security Fixes This PR contains automated dependency updates generated via npm audit fix. ### Scope Frontend ### Vulnerabilities **Before:** - Critical: ${{ steps.parse-audit-before.outputs.critical }} - High: ${{ steps.parse-audit-before.outputs.high }} - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} **After:** - Critical: ${{ steps.parse-audit.outputs.critical }} - High: ${{ steps.parse-audit.outputs.high }} - Moderate: ${{ steps.parse-audit.outputs.moderate }} âš ī¸ Some vulnerabilities may remain and require manual upgrades. **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) Generated by: Vulnerability CI reviewers: kavinvenkatachalam,johnsoncherian labels: security,automated - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: Periodic-frontend-audit-report path: Periodic-frontend-audit.json retention-days: 7 if-no-files-found: warn - name: Determine notification color id: determine-color run: | critical=${{ steps.parse-audit.outputs.critical }} high=${{ steps.parse-audit.outputs.high }} moderate=${{ steps.parse-audit.outputs.moderate }} total=$((critical + high + moderate)) if [ "$critical" -gt 0 ]; then echo "color=#FF0000" >> $GITHUB_OUTPUT elif [ "$high" -gt 0 ]; then echo "color=#FFA500" >> $GITHUB_OUTPUT else echo "color=#FFD700" >> $GITHUB_OUTPUT fi echo "total=$total" >> $GITHUB_OUTPUT - name: Send Slack Notification run: | PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" if [ "$PR_CREATED" == "true" ]; then PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "🔧 *Automated Fix PR Created*" } }, { "type": "section", "text": { "type": "mrkdwn", "text": "" } }, { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" }, { "type": "mrkdwn", "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" } ] }' PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" else PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "â„šī¸ *No auto-fixable vulnerabilities found*" } }' fi payload=$(cat < Periodic-server-audit-before.json continue-on-error: true - name: Parse audit summary (before fix) id: parse-audit-before run: | if [ -f Periodic-server-audit-before.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit-before.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Attempt to fix vulnerabilities run: npm --prefix server audit fix continue-on-error: true - name: Running security audit (after fix) run: npm --prefix server audit --json > Periodic-server-audit.json continue-on-error: true - name: Parse audit summary (after fix) id: parse-audit run: | if [ -f Periodic-server-audit.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-server-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Check for changes id: check-changes run: | git add server/package-lock.json if git diff --staged --quiet; then echo "has_changes=false" >> $GITHUB_OUTPUT else echo "has_changes=true" >> $GITHUB_OUTPUT fi - name: Create Pull Request if: steps.check-changes.outputs.has_changes == 'true' id: create-pr uses: peter-evans/create-pull-request@v5 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | server/package-lock.json commit-message: "fix: automated security fixes for server dependencies" branch: automated-security-fixes/server-${{ github.run_id }} base: lts-3.16 title: "[Security] Automated Dependency Fixes - Server" body: | ## Automated Security Fixes This PR contains automated dependency updates generated via npm audit fix. ### Scope Server ### Vulnerabilities **Before:** - Critical: ${{ steps.parse-audit-before.outputs.critical }} - High: ${{ steps.parse-audit-before.outputs.high }} - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} **After:** - Critical: ${{ steps.parse-audit.outputs.critical }} - High: ${{ steps.parse-audit.outputs.high }} - Moderate: ${{ steps.parse-audit.outputs.moderate }} âš ī¸ Some vulnerabilities may remain and require manual upgrades. **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) Generated by: Vulnerability CI reviewers: gsmithun4 labels: security,automated - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: Periodic-server-audit-report path: Periodic-server-audit.json retention-days: 7 if-no-files-found: warn - name: Determine notification color id: determine-color run: | critical=${{ steps.parse-audit.outputs.critical }} high=${{ steps.parse-audit.outputs.high }} moderate=${{ steps.parse-audit.outputs.moderate }} total=$((critical + high + moderate)) if [ "$critical" -gt 0 ]; then echo "color=#FF0000" >> $GITHUB_OUTPUT elif [ "$high" -gt 0 ]; then echo "color=#FFA500" >> $GITHUB_OUTPUT else echo "color=#FFD700" >> $GITHUB_OUTPUT fi echo "total=$total" >> $GITHUB_OUTPUT - name: Send Slack Notification run: | PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" if [ "$PR_CREATED" == "true" ]; then PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "🔧 *Automated Fix PR Created*" } }, { "type": "section", "text": { "type": "mrkdwn", "text": "" } }, { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" }, { "type": "mrkdwn", "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" } ] }' PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" else PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "â„šī¸ *No auto-fixable vulnerabilities found*" } }' fi payload=$(cat < Periodic-marketplace-audit.json continue-on-error: true - name: Parse audit summary id: parse-audit run: | vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-marketplace-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report uses: actions/upload-artifact@v4 with: name: Periodic-marketplace-audit-report path: Periodic-marketplace-audit.json retention-days: 7 - name: Determine notification color id: determine-color run: | critical=${{ steps.parse-audit.outputs.critical }} high=${{ steps.parse-audit.outputs.high }} moderate=${{ steps.parse-audit.outputs.moderate }} total=$((critical + high + moderate)) if [ "$critical" -gt 0 ]; then echo "color=#FF0000" >> $GITHUB_OUTPUT elif [ "$high" -gt 0 ]; then echo "color=#FFA500" >> $GITHUB_OUTPUT else echo "color=#FFD700" >> $GITHUB_OUTPUT fi echo "total=$total" >> $GITHUB_OUTPUT - name: Send Slack Notification run: | payload=$(cat < Periodic-plugins-audit-before.json continue-on-error: true - name: Parse audit summary (before fix) id: parse-audit-before run: | if [ -f Periodic-plugins-audit-before.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit-before.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Attempt to fix vulnerabilities run: npm --prefix plugins audit fix continue-on-error: true - name: Running security audit (after fix) run: npm --prefix plugins audit --json > Periodic-plugins-audit.json continue-on-error: true - name: Parse audit summary (after fix) id: parse-audit run: | if [ -f Periodic-plugins-audit.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-plugins-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Check for changes id: check-changes run: | git add plugins/package-lock.json if git diff --staged --quiet; then echo "has_changes=false" >> $GITHUB_OUTPUT else echo "has_changes=true" >> $GITHUB_OUTPUT fi - name: Create Pull Request if: steps.check-changes.outputs.has_changes == 'true' id: create-pr uses: peter-evans/create-pull-request@v5 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | plugins/package-lock.json commit-message: "fix: automated security fixes for plugins dependencies" branch: automated-security-fixes/plugins-${{ github.run_id }} base: main title: "[Security] Automated Dependency Fixes - Plugins" body: | ## Automated Security Fixes This PR contains automated dependency updates generated via npm audit fix. ### Scope Plugins ### Vulnerabilities **Before:** - Critical: ${{ steps.parse-audit-before.outputs.critical }} - High: ${{ steps.parse-audit-before.outputs.high }} - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} **After:** - Critical: ${{ steps.parse-audit.outputs.critical }} - High: ${{ steps.parse-audit.outputs.high }} - Moderate: ${{ steps.parse-audit.outputs.moderate }} âš ī¸ Some vulnerabilities may remain and require manual upgrades. **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) Generated by: Vulnerability CI reviewers: gsmithun4 labels: security,automated - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: Periodic-plugins-audit-report path: Periodic-plugins-audit.json retention-days: 7 if-no-files-found: warn - name: Determine notification color id: determine-color run: | critical=${{ steps.parse-audit.outputs.critical }} high=${{ steps.parse-audit.outputs.high }} moderate=${{ steps.parse-audit.outputs.moderate }} total=$((critical + high + moderate)) if [ "$critical" -gt 0 ]; then echo "color=#FF0000" >> $GITHUB_OUTPUT elif [ "$high" -gt 0 ]; then echo "color=#FFA500" >> $GITHUB_OUTPUT else echo "color=#FFD700" >> $GITHUB_OUTPUT fi echo "total=$total" >> $GITHUB_OUTPUT - name: Send Slack Notification run: | PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" if [ "$PR_CREATED" == "true" ]; then PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "🔧 *Automated Fix PR Created*" } }, { "type": "section", "text": { "type": "mrkdwn", "text": "" } }, { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" }, { "type": "mrkdwn", "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" } ] }' PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" else PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "â„šī¸ *No auto-fixable vulnerabilities found*" } }' fi payload=$(cat < Periodic-root-audit-before.json continue-on-error: true - name: Parse audit summary (before fix) id: parse-audit-before run: | if [ -f Periodic-root-audit-before.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit-before.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Attempt to fix vulnerabilities run: npm audit fix continue-on-error: true - name: Running security audit (after fix) run: npm audit --json > Periodic-root-audit.json continue-on-error: true - name: Parse audit summary (after fix) id: parse-audit run: | if [ -f Periodic-root-audit.json ]; then vulnerabilities=$(jq '.metadata.vulnerabilities' Periodic-root-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT else echo "moderate=0" >> $GITHUB_OUTPUT echo "high=0" >> $GITHUB_OUTPUT echo "critical=0" >> $GITHUB_OUTPUT fi - name: Check for changes id: check-changes run: | git add package-lock.json if git diff --staged --quiet; then echo "has_changes=false" >> $GITHUB_OUTPUT else echo "has_changes=true" >> $GITHUB_OUTPUT fi - name: Create Pull Request if: steps.check-changes.outputs.has_changes == 'true' id: create-pr uses: peter-evans/create-pull-request@v5 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | package-lock.json commit-message: "fix: automated security fixes for root dependencies" branch: automated-security-fixes/root-${{ github.run_id }} base: lts-3.16 title: "[Security] Automated Dependency Fixes - Root" body: | ## Automated Security Fixes This PR contains automated dependency updates generated via npm audit fix. ### Scope Root ### Vulnerabilities **Before:** - Critical: ${{ steps.parse-audit-before.outputs.critical }} - High: ${{ steps.parse-audit-before.outputs.high }} - Moderate: ${{ steps.parse-audit-before.outputs.moderate }} **After:** - Critical: ${{ steps.parse-audit.outputs.critical }} - High: ${{ steps.parse-audit.outputs.high }} - Moderate: ${{ steps.parse-audit.outputs.moderate }} âš ī¸ Some vulnerabilities may remain and require manual upgrades. **Audit Report:** [Download Full Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) Generated by: Vulnerability CI reviewers: gsmithun4 labels: security,automated - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: Periodic-root-audit-report path: Periodic-root-audit.json retention-days: 7 if-no-files-found: warn - name: Determine notification color id: determine-color run: | critical=${{ steps.parse-audit.outputs.critical }} high=${{ steps.parse-audit.outputs.high }} moderate=${{ steps.parse-audit.outputs.moderate }} total=$((critical + high + moderate)) if [ "$critical" -gt 0 ]; then echo "color=#FF0000" >> $GITHUB_OUTPUT elif [ "$high" -gt 0 ]; then echo "color=#FFA500" >> $GITHUB_OUTPUT else echo "color=#FFD700" >> $GITHUB_OUTPUT fi echo "total=$total" >> $GITHUB_OUTPUT - name: Send Slack Notification run: | PR_CREATED="${{ steps.check-changes.outputs.has_changes }}" PR_URL="${{ steps.create-pr.outputs.pull-request-url }}" if [ "$PR_CREATED" == "true" ]; then PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "🔧 *Automated Fix PR Created*" } }, { "type": "section", "text": { "type": "mrkdwn", "text": "" } }, { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*Before:*\\nCritical: BEFORE_CRITICAL | High: BEFORE_HIGH | Moderate: BEFORE_MODERATE" }, { "type": "mrkdwn", "text": "*After:*\\nCritical: AFTER_CRITICAL | High: AFTER_HIGH | Moderate: AFTER_MODERATE" } ] }' PR_SECTION="${PR_SECTION//PR_URL_PLACEHOLDER/$PR_URL}" PR_SECTION="${PR_SECTION//BEFORE_CRITICAL/${{ steps.parse-audit-before.outputs.critical }}}" PR_SECTION="${PR_SECTION//BEFORE_HIGH/${{ steps.parse-audit-before.outputs.high }}}" PR_SECTION="${PR_SECTION//BEFORE_MODERATE/${{ steps.parse-audit-before.outputs.moderate }}}" PR_SECTION="${PR_SECTION//AFTER_CRITICAL/${{ steps.parse-audit.outputs.critical }}}" PR_SECTION="${PR_SECTION//AFTER_HIGH/${{ steps.parse-audit.outputs.high }}}" PR_SECTION="${PR_SECTION//AFTER_MODERATE/${{ steps.parse-audit.outputs.moderate }}}" else PR_SECTION=' , { "type": "section", "text": { "type": "mrkdwn", "text": "â„šī¸ *No auto-fixable vulnerabilities found*" } }' fi payload=$(cat < frontend-audit.json continue-on-error: true - name: Parse audit summary id: parse-audit run: | vulnerabilities=$(jq '.metadata.vulnerabilities' frontend-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: frontend-audit-report path: frontend-audit.json retention-days: 7 if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository }} issue-number: ${{ github.event.pull_request.number }} body: | ### Security Audit Report Of Frontend directory **Node module vulnerabilities summary:** 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} 🟠 High: ${{ steps.parse-audit.outputs.high }} 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} Please find the JSON file in the [summary page](${{ github.frontend_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). ManualVulnerability-CheckOn-server-code: if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'server-vulnerability' || github.event.label.name == 'check-vulnerability') }} runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} - name: Use Node.js 22.15.1 uses: actions/setup-node@v3 with: node-version: 22.15.1 - name: Install dependencies run: npm --prefix server install - name: Running security audit run: npm --prefix server audit --json > server-audit.json continue-on-error: true - name: Parse audit summary id: parse-audit run: | vulnerabilities=$(jq '.metadata.vulnerabilities' server-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: server-audit-report path: server-audit.json retention-days: 7 if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository }} issue-number: ${{ github.event.pull_request.number }} body: | ### Security Audit Report Of Server directory **Node module vulnerabilities summary:** 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} 🟠 High: ${{ steps.parse-audit.outputs.high }} 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} Please find the JSON file in the [summary page](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). ManualVulnerability-CheckOn-marketplace-code: if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'marketplace-vulnerability' || github.event.label.name == 'check-vulnerability') }} runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} - name: Use Node.js 22.15.1 uses: actions/setup-node@v3 with: node-version: 22.15.1 - name: Install dependencies run: npm --prefix marketplace install - name: Running security audit run: npm --prefix marketplace audit --json > marketplace-audit.json continue-on-error: true - name: Parse audit summary id: parse-audit run: | vulnerabilities=$(jq '.metadata.vulnerabilities' marketplace-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: marketplace-audit-report path: marketplace-audit.json retention-days: 7 if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository }} issue-number: ${{ github.event.pull_request.number }} body: | ### Security Audit Report Of Marketplace directory **Node module vulnerabilities summary:** 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} 🟠 High: ${{ steps.parse-audit.outputs.high }} 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} Please find the JSON file in the [summary page](${{ github.marketplace_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). ManualVulnerability-CheckOn-plugins-code: if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'plugins-vulnerability' || github.event.label.name == 'check-vulnerability') }} runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} - name: Use Node.js 22.15.1 uses: actions/setup-node@v3 with: node-version: 22.15.1 - name: Install dependencies run: npm --prefix plugins install - name: Running security audit run: npm --prefix plugins audit --json > plugins-audit.json continue-on-error: true - name: Parse audit summary id: parse-audit run: | vulnerabilities=$(jq '.metadata.vulnerabilities' plugins-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: plugins-audit-report path: plugins-audit.json retention-days: 7 if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository }} issue-number: ${{ github.event.pull_request.number }} body: | ### Security Audit Report Of Plugins directory **Node module vulnerabilities summary:** 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} 🟠 High: ${{ steps.parse-audit.outputs.high }} 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} Please find the JSON file in the [summary page](${{ github.plugins_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}). ManualVulnerability-CheckOn-root-code: if: ${{ github.event.action == 'labeled' && (github.event.label.name == 'root-vulnerability' || github.event.label.name == 'check-vulnerability') }} runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} - name: Use Node.js 22.15.1 uses: actions/setup-node@v3 with: node-version: 22.15.1 - name: Install dependencies run: npm install - name: Running security audit run: npm audit --json > root-audit.json continue-on-error: true - name: Parse audit summary id: parse-audit run: | vulnerabilities=$(jq '.metadata.vulnerabilities' root-audit.json) moderate=$(echo $vulnerabilities | jq '.moderate') high=$(echo $vulnerabilities | jq '.high') critical=$(echo $vulnerabilities | jq '.critical') echo "moderate=$moderate" >> $GITHUB_OUTPUT echo "high=$high" >> $GITHUB_OUTPUT echo "critical=$critical" >> $GITHUB_OUTPUT - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: root-audit-report path: root-audit.json retention-days: 7 if-no-files-found: warn - name: Create or update PR comment uses: peter-evans/create-or-update-comment@v1 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository }} issue-number: ${{ github.event.pull_request.number }} body: | ### Security Audit Report Of Root directory **Node module vulnerabilities summary:** 🔴 Critical: ${{ steps.parse-audit.outputs.critical }} 🟠 High: ${{ steps.parse-audit.outputs.high }} 🟡 Moderate: ${{ steps.parse-audit.outputs.moderate }} Please find the JSON file in the [summary page](${{ github.root_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).