Files
MokoCLI/templates/workflows/dependency-audit.yml
T
jmiller 857525268a
Universal: Cascade Main → Dev / Cascade main → branches (push) Has been cancelled
Generic: Repo Health / Access control (push) Has been cancelled
Generic: Repo Health / Release configuration (push) Has been cancelled
Generic: Repo Health / Scripts governance (push) Has been cancelled
Generic: Repo Health / Repository health (push) Has been cancelled
feat: add dependency-audit.yml
Authored-by: Moko Consulting
2026-05-19 20:47:16 +00:00

117 lines
4.1 KiB
YAML

# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: Gitea.Workflow
# INGROUP: MokoStandards
# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
# PATH: /templates/workflows/dependency-audit.yml
# VERSION: 01.00.00
# BRIEF: Scheduled dependency audit — runs composer audit across repos
name: Dependency Audit
on:
schedule:
- cron: '0 8 * * 1' # Every Monday at 08:00 UTC
workflow_dispatch:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
audit:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
tools: composer
- name: Run composer audit
id: audit
run: |
if [ ! -f composer.json ]; then
echo "No composer.json found — skipping."
echo "skip=true" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "skip=false" >> "$GITHUB_OUTPUT"
set +e
AUDIT_OUTPUT=$(composer audit --format=json 2>&1)
AUDIT_EXIT=$?
set -e
echo "$AUDIT_OUTPUT" > audit-results.json
if [ "$AUDIT_EXIT" -ne 0 ]; then
echo "vulnerable=true" >> "$GITHUB_OUTPUT"
else
echo "vulnerable=false" >> "$GITHUB_OUTPUT"
fi
- name: Parse vulnerabilities
if: steps.audit.outputs.skip != 'true'
id: parse
run: |
if [ "${{ steps.audit.outputs.vulnerable }}" = "true" ]; then
echo "## Vulnerabilities Found" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
# Extract advisory count
ADVISORIES=$(jq -r '.advisories | length // 0' audit-results.json 2>/dev/null || echo "0")
echo "Found **${ADVISORIES}** advisories." >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
# List each advisory
jq -r '
.advisories | to_entries[] |
"| \(.key) | \(.value[0].title // "N/A") | \(.value[0].cve // "N/A") | \(.value[0].affectedVersions // "N/A") |"
' audit-results.json 2>/dev/null | {
echo "| Package | Title | CVE | Affected Versions |"
echo "|---------|-------|-----|-------------------|"
cat
} >> "$GITHUB_STEP_SUMMARY"
echo "count=${ADVISORIES}" >> "$GITHUB_OUTPUT"
else
echo "## No Vulnerabilities Found" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "All dependencies passed the audit." >> "$GITHUB_STEP_SUMMARY"
echo "count=0" >> "$GITHUB_OUTPUT"
fi
- name: Notify via ntfy
if: steps.audit.outputs.vulnerable == 'true'
run: |
NTFY_URL="${{ vars.NTFY_URL }}"
NTFY_TOPIC="${{ vars.NTFY_TOPIC }}"
REPO="${{ github.repository }}"
COUNT="${{ steps.parse.outputs.count }}"
RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -s \
-H "Title: Dependency Audit: ${REPO}" \
-H "Priority: high" \
-H "Tags: warning,package" \
-H "Click: ${RUN_URL}" \
-d "Found ${COUNT} vulnerability advisory(ies) in ${REPO}. Review the workflow run for details." \
"${NTFY_URL}/${NTFY_TOPIC}"
- name: Summary
if: always() && steps.audit.outputs.skip != 'true'
run: |
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "---" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "Audit completed at $(date -u '+%Y-%m-%d %H:%M:%S UTC')." >> "$GITHUB_STEP_SUMMARY"
echo "Repository: **${{ github.repository }}**" >> "$GITHUB_STEP_SUMMARY"
echo "Branch: **${{ github.ref_name }}**" >> "$GITHUB_STEP_SUMMARY"