Merge pull request #7738 from BitGo/VL-3832-adding-sfw-support

build: add Socket Security (SFW) integration with configurable vulnerability scanning

Author: pradeepjangid195

.github/workflows/ci.yml

@@ -14,6 +14,9 @@ permissions:
   contents: read
   pull-requests: read
 
+env:
+  SOCKET_SECURITY_MODE: monitor  # Options: monitor (non-blocking) or block (fails on vulnerabilities)
+
 jobs:
   unit-test:
     runs-on: ubuntu-latest
@@ -24,6 +27,10 @@ jobs:
         node-version: [20.x, 22.x, 24.x]
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -58,7 +65,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Check In-Repo Package Versions
         run: yarn run check-versions
@@ -90,6 +97,10 @@ jobs:
         check: ['lint', 'format', 'commit-lint', 'dependencies']
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -110,7 +121,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Lint Source Code
         if: matrix.check == 'lint'
@@ -137,6 +148,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup node 22
@@ -155,7 +170,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true'
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: build packages
         env:
@@ -174,6 +189,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -248,7 +267,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile
+        run: sfw yarn install --with-frozen-lockfile
 
       - name: build packages
         if: steps.lerna-cache.outputs.cache-hit == 'true'
@@ -294,6 +313,7 @@ jobs:
             VERSION=${{ steps.build-info.outputs.version }}
             BUILD_DATE=${{ steps.build-info.outputs.date }}
             GIT_HASH=${{ github.sha }}
+            SOCKET_SECURITY_MODE=${{ env.SOCKET_SECURITY_MODE }}
 
       - name: Test Express Docker image
         id: docker-test
@@ -337,6 +357,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -357,7 +381,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Check Dockerfile is up to date
         run: |

.github/workflows/publish.yml

@@ -11,12 +11,19 @@ permissions:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 
+env:
+  SOCKET_SECURITY_MODE: monitor  # Options: monitor (non-blocking) or block (fails on vulnerabilities)
+
 jobs:
   publish:
     name: Publish Release
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
@@ -26,7 +33,7 @@ jobs:
           node-version-file: .nvmrc
 
       - name: Install BitGoJS
-        run: yarn install --with-frozen-lockfile
+        run: sfw yarn install --with-frozen-lockfile
 
       - name: Audit Dependencies
         run: yarn run improved-yarn-audit --min-severity high
@@ -59,7 +66,7 @@ jobs:
           npx tsx ./scripts/prepare-release.ts ${{ env.preid }}
 
       - name: Rebuild packages
-        run: yarn
+        run: sfw yarn
 
       - name: Commit Local Changes
         run: git commit -am "Auto updated ${{ env.preid }} branch" --no-verify || echo "No changes to commit"

Dockerfile

@@ -13,20 +13,23 @@ COPY modules ./modules
 RUN find modules \! -name "package.json" -mindepth 2 -maxdepth 2 -print | xargs rm -rf
 
 FROM node:22.22.0-bookworm-slim@sha256:f86be15afa9a8277608e141ce2a8aa55d3d9c40845921b8511f4fb7897be2554 AS builder
+ARG SOCKET_SECURITY_MODE=monitor
+ENV SOCKET_SECURITY_MODE=${SOCKET_SECURITY_MODE}
 RUN apt-get update && apt-get install -y git python3 make g++ libtool autoconf automake
+RUN npm i -g sfw
 WORKDIR /tmp/bitgo
 COPY --from=filter-packages-json /tmp/bitgo .
 # (skip postinstall) https://github.com/yarnpkg/yarn/issues/4100#issuecomment-388944260
-RUN NOYARNPOSTINSTALL=1 yarn install --pure-lockfile --network-timeout 120000
+RUN NOYARNPOSTINSTALL=1 sfw yarn install --pure-lockfile --network-timeout 120000
 
 COPY . .
 RUN \
     # clean up unnecessary local node_modules and dist
     rm -rf modules/**/node_modules modules/**/dist && \
     # install with dev deps so we can run the prepare script
-    yarn install --frozen-lockfile && \
+    sfw yarn install --frozen-lockfile && \
     # install again to prune dev deps
-    yarn install --production --frozen-lockfile --non-interactive --ignore-scripts && \
+    sfw yarn install --production --frozen-lockfile --non-interactive --ignore-scripts && \
     # remove any src code leftover (we only want dist)
     rm -r modules/*/src