Skip to content

ci: add CVE Lite dependency audit workflow#12271

Open
sonukapoor wants to merge 1 commit into
chartjs:masterfrom
sonukapoor:ci/add-cve-lite-vulnerability-scan
Open

ci: add CVE Lite dependency audit workflow#12271
sonukapoor wants to merge 1 commit into
chartjs:masterfrom
sonukapoor:ci/add-cve-lite-vulnerability-scan

Conversation

@sonukapoor

Copy link
Copy Markdown

This PR adds a CVE Lite CLI dependency audit workflow to Chart.js. CVE Lite CLI is an OWASP Lab Project that scans npm, pnpm, Yarn, and Bun lockfiles directly against the OSV advisory database — no network install required, no packages need to be downloaded to run the scan.

The workflow runs on every push and pull request to master, and on a weekly schedule every Monday morning. It scans the pnpm lockfile for known vulnerabilities across all 372 resolved packages and uploads results to GitHub Code Scanning as SARIF so findings surface in the Security tab alongside any other code scanning tools the project uses.

A fresh scan of the current lockfile shows zero findings today, which is a great baseline. The workflow will catch regressions automatically as new advisories are published — particularly useful since pnpm's lockfile resolves the full transitive graph, and new CVEs can appear in indirect dependencies weeks after a lockfile was last updated.

The workflow is pinned to immutable commit SHAs for all three actions (checkout, cve-lite-cli, and codeql-action/upload-sarif) and runs with minimal permissions (contents: read, security-events: write for SARIF upload). It does not run any install step or build step — just a lockfile scan, which completes in under 30 seconds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant