build: added SFW in the build pipeline

Ticket: VL-3832

Author: pradeepjangid195

.github/workflows/ci.yml

@@ -14,6 +14,9 @@ permissions:
   contents: read
   pull-requests: read
 
+env:
+  SOCKET_SECURITY_MODE: monitor  # Options: monitor (non-blocking) or block (fails on vulnerabilities)
+
 jobs:
   unit-test:
     runs-on: ubuntu-latest
@@ -24,6 +27,10 @@ jobs:
         node-version: [20.x, 22.x]
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -58,7 +65,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Check In-Repo Package Versions
         run: yarn run check-versions
@@ -90,6 +97,10 @@ jobs:
         check: ['lint', 'format', 'commit-lint', 'dependencies', 'audit']
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -110,7 +121,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Lint Source Code
         if: matrix.check == 'lint'
@@ -138,6 +149,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup node 22
@@ -156,7 +171,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true'
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: build packages
         env:
@@ -175,6 +190,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -249,7 +268,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile
+        run: sfw yarn install --with-frozen-lockfile
 
       - name: build packages
         if: steps.lerna-cache.outputs.cache-hit == 'true'
@@ -295,6 +314,7 @@ jobs:
             VERSION=${{ steps.build-info.outputs.version }}
             BUILD_DATE=${{ steps.build-info.outputs.date }}
             GIT_HASH=${{ github.sha }}
+            SOCKET_SECURITY_MODE=${{ env.SOCKET_SECURITY_MODE }}
 
       - name: Test Express Docker image
         id: docker-test
@@ -338,6 +358,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -358,7 +382,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Check Dockerfile is up to date
         run: |
@@ -373,6 +397,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - name: Checkout PR
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -394,15 +422,15 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true'
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Build packages
         env:
           DISABLE_V8_COMPILE_CACHE: '1'
         run: yarn run postinstall
 
       - name: Install OpenAPI Generator at root
-        run: yarn add -W @api-ts/openapi-generator@v5
+        run: sfw yarn add -W @api-ts/openapi-generator@v5
 
       - name: Download and install vacuum v0.18.1
         run: |

.github/workflows/publish.yml

@@ -11,12 +11,19 @@ permissions:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 
+env:
+  SOCKET_SECURITY_MODE: monitor  # Options: monitor (non-blocking) or block (fails on vulnerabilities)
+
 jobs:
   publish:
     name: Publish Release
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
@@ -26,7 +33,7 @@ jobs:
           node-version-file: .nvmrc
 
       - name: Install BitGoJS
-        run: yarn install --with-frozen-lockfile
+        run: sfw yarn install --with-frozen-lockfile
 
       - name: Set Environment Variable for Alpha
         if: github.ref != 'refs/heads/master' # only publish changes if on feature branches
@@ -56,7 +63,7 @@ jobs:
           npx tsx ./scripts/prepare-release.ts ${{ env.preid }}
 
       - name: Rebuild packages
-        run: yarn
+        run: sfw yarn
 
       - name: Commit Local Changes
         run: git commit -am "Auto updated ${{ env.preid }} branch" --no-verify || echo "No changes to commit"

Dockerfile

@@ -13,20 +13,23 @@ COPY modules ./modules
 RUN find modules \! -name "package.json" -mindepth 2 -maxdepth 2 -print | xargs rm -rf
 
 FROM node:22.16.0-bookworm-slim@sha256:2f3571619daafc6b53232ebf2fcc0817c1e64795e92de317c1684a915d13f1a5 AS builder
+ARG SOCKET_SECURITY_MODE=monitor
+ENV SOCKET_SECURITY_MODE=${SOCKET_SECURITY_MODE}
 RUN apt-get update && apt-get install -y git python3 make g++ libtool autoconf automake
+RUN npm i -g sfw
 WORKDIR /tmp/bitgo
 COPY --from=filter-packages-json /tmp/bitgo .
 # (skip postinstall) https://github.com/yarnpkg/yarn/issues/4100#issuecomment-388944260
-RUN NOYARNPOSTINSTALL=1 yarn install --pure-lockfile --network-timeout 120000
+RUN NOYARNPOSTINSTALL=1 sfw yarn install --pure-lockfile --network-timeout 120000
 
 COPY . .
 RUN \
     # clean up unnecessary local node_modules and dist
     rm -rf modules/**/node_modules modules/**/dist && \
     # install with dev deps so we can run the prepare script
-    yarn install --frozen-lockfile && \
+    sfw yarn install --frozen-lockfile && \
     # install again to prune dev deps
-    yarn install --production --frozen-lockfile --non-interactive --ignore-scripts && \
+    sfw yarn install --production --frozen-lockfile --non-interactive --ignore-scripts && \
     # remove any src code leftover (we only want dist)
     rm -r modules/*/src