From f3c117248f8e4becc999b41a48af376cb613b0ba Mon Sep 17 00:00:00 2001
From: Dan Barr <dan@stacklok.com>
Date: Tue, 7 Jan 2025 14:00:03 -0500
Subject: [PATCH] Add security check workflow

---
 .github/workflows/_security-checks.yaml | 37 +++++++++++++++++++++++++
 .github/workflows/on-pr.yaml            |  4 +++
 2 files changed, 41 insertions(+)
 create mode 100644 .github/workflows/_security-checks.yaml

diff --git a/.github/workflows/_security-checks.yaml b/.github/workflows/_security-checks.yaml
new file mode 100644
index 0000000..d84eeda
--- /dev/null
+++ b/.github/workflows/_security-checks.yaml
@@ -0,0 +1,37 @@
+name: Security checks
+
+on:
+  workflow_call:
+
+jobs:
+  trivy:
+    name: Trivy scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Scan repo
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret,config'
+          exit-code: '1'
+          ignore-unfixed: 'true'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+  npm-audit:
+    name: NPM audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Run npm audit
+        run: npm audit --omit=dev --audit-level=moderate
diff --git a/.github/workflows/on-pr.yaml b/.github/workflows/on-pr.yaml
index 74813a2..6cec6a6 100644
--- a/.github/workflows/on-pr.yaml
+++ b/.github/workflows/on-pr.yaml
@@ -7,6 +7,10 @@ permissions:
   contents: read
 
 jobs:
+  security:
+    name: Security checks
+    uses: ./.github/workflows/_security-checks.yaml
+
   static-checks:
     name: Static checks
     uses: ./.github/workflows/_static-checks.yaml