Merge PR #50: trust proxy for rate limiting behind Render #52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security scan | |
| on: | |
| push: | |
| branches: ["main"] | |
| schedule: | |
| # Every Monday at 08:00 UTC – catches newly disclosed CVEs between pushes | |
| - cron: "0 8 * * 1" | |
| jobs: | |
| # ── npm audit ────────────────────────────────────────────────────────────── | |
| npm-audit: | |
| name: npm audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".nvmrc" | |
| cache: "npm" | |
| cache-dependency-path: package-lock.json | |
| - name: Install production deps | |
| run: npm ci --omit=dev | |
| - name: Audit (fail on high/critical) | |
| run: npm audit --audit-level=high | |
| # ── Docker image scan (Trivy) ───────────────────────────────────────────── | |
| trivy: | |
| name: Trivy image scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Build image for scanning | |
| run: docker build -t spectracleanse-api:scan . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: spectracleanse-api:scan | |
| format: table | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| severity: "HIGH,CRITICAL" |