ci: add CVE Lite dependency audit workflow#12271
Open
sonukapoor wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a CVE Lite CLI dependency audit workflow to Chart.js. CVE Lite CLI is an OWASP Lab Project that scans npm, pnpm, Yarn, and Bun lockfiles directly against the OSV advisory database — no network install required, no packages need to be downloaded to run the scan.
The workflow runs on every push and pull request to master, and on a weekly schedule every Monday morning. It scans the pnpm lockfile for known vulnerabilities across all 372 resolved packages and uploads results to GitHub Code Scanning as SARIF so findings surface in the Security tab alongside any other code scanning tools the project uses.
A fresh scan of the current lockfile shows zero findings today, which is a great baseline. The workflow will catch regressions automatically as new advisories are published — particularly useful since pnpm's lockfile resolves the full transitive graph, and new CVEs can appear in indirect dependencies weeks after a lockfile was last updated.
The workflow is pinned to immutable commit SHAs for all three actions (checkout, cve-lite-cli, and codeql-action/upload-sarif) and runs with minimal permissions (contents: read, security-events: write for SARIF upload). It does not run any install step or build step — just a lockfile scan, which completes in under 30 seconds.