chore(tools): add codeql for typescript

nodejs · Aug 4, 2024 · ea45585 · ea45585
1 parent 5b4e463
commit ea45585
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 20 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -6,8 +6,11 @@ on:
     - cron: '0 0 * * *'
   push:
     paths:
-      - '**/Cargo.toml'
-      - '**/Cargo.lock'
+      - 'deps/swc'
+      - '.github/workflows/audit.yml'
+      - package.json
+      - lib
+      - src
   pull_request:
 
 jobs:
@@ -17,3 +20,28 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868 # v1.6.3
+        with:
+          manifest-path: "deps/swc/bindings/Cargo.toml"
+
+  typescript-audit:
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      matrix:
+        include:
+        - language: javascript-typescript
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        with:
+          languages: ${{ matrix.language }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/deny.toml b/deny.toml
@@ -2,28 +2,25 @@
 targets = []
 
 [advisories]
-vulnerability = "deny"
-unmaintained = "warn"
-yanked = "warn"
-notice = "warn"
 ignore = []
 
 [licenses]
-unlicensed = "deny"
 allow = [
     "Apache-2.0",
     "Apache-2.0 WITH LLVM-exception",
     "MIT",
     "MPL-2.0",
     "BSD-3-Clause",
+    "BSD-2-Clause",
     "ISC",
+    "0BSD",
+    "CC0-1.0",
+    "Unicode-DFS-2016",
+    "BSL-1.0"
 ]
-deny = []
-copyleft = "deny"
 confidence-threshold = 0.8
 exceptions = []
 
-
 [licenses.private]
 ignore = false
 registries = []
@@ -38,12 +35,4 @@ skip = []
 skip-tree = []
 
 [sources]
-unknown-registry = "warn"
-unknown-git = "warn"
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-allow-git = []
-
-[sources.allow-org]
-github = []
-gitlab = []
-bitbucket = []
diff --git a/tools/Dockerfile b/tools/Dockerfile
@@ -32,12 +32,12 @@ WORKDIR /usr/src/amaro
 
 COPY deps/swc .
 
+WORKDIR /usr/src/amaro/bindings/binding_typescript_wasm
+
 RUN apt-get update && apt-get -y install cmake
 
 RUN cargo install --locked wasm-pack
 
-WORKDIR /usr/src/amaro/bindings/binding_typescript_wasm
-
 RUN ./scripts/build.sh
 
 RUN mkdir -p /usr/src/amaro/swc