Merge pull request #1 from robmoffat/security-scanning

Security scanning

.github/workflows/cve-scanning.yml

@@ -0,0 +1,35 @@
+name: Node.js CVE Scanning
+
+on:
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'toolbox/fdc3-workbench/package.json'
+      - '.github/workflows/cve-scanning.yml'
+  push:
+    paths:
+      - 'package.json'
+      - 'toolbox/fdc3-workbench/package.json'
+      - '.github/workflows/cve-scanning.yml'
+    schedule:
+      # Run every day at 5am and 5pm
+      - cron: '0 5,17 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [16.x]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm install
+      - run: npx --yes auditjs ossi --whitelist allow-list.json
+      - run: npm install
+        working-directory: toolbox/fdc3-workbench
+      - run: npx --yes auditjs ossi --whitelist allow-list.json
+        working-directory: toolbox/fdc3-workbench

.github/workflows/semgrep.yml

@@ -0,0 +1,15 @@
+name: Static code analysis
+
+on: [push, pull_request]
+
+jobs:
+  semgrep:
+    name: run-semgrep
+    runs-on: ubuntu-20.04
+    container:
+      image: returntocorp/semgrep
+    steps:
+    - uses: actions/checkout@v3
+    - run: semgrep scan --error --config auto
+      env:
+        SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

.whitesource

@@ -0,0 +1,15 @@
+{
+  "scanSettings": {
+    "configMode": "AUTO",
+    "configExternalURL": "",
+    "projectToken": "",
+    "baseBranches": []
+  },
+  "checkRunSettings": {
+    "displayMode": "diff",
+    "vulnerableCheckRunConclusionLevel": "failure"
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW"
+  }
+}