From 2cc01f792b76b13f16c13a9b2ead02625c083d8e Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Fri, 3 Jul 2026 12:29:08 -0400 Subject: [PATCH 1/3] ci: add CVE Lite dependency audit workflow --- .github/workflows/cve-lite.yml | 36 ++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/cve-lite.yml diff --git a/.github/workflows/cve-lite.yml b/.github/workflows/cve-lite.yml new file mode 100644 index 000000000..a5e7c7a35 --- /dev/null +++ b/.github/workflows/cve-lite.yml @@ -0,0 +1,36 @@ +name: CVE Lite dependency audit + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' + +permissions: + contents: read + security-events: write + +jobs: + scan: + name: Scan dependencies + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan for vulnerabilities + uses: OWASP/cve-lite-cli@2eed959b8641042472d2810444393b88d5454e62 # v1 + with: + fail-on: high + sarif: 'true' + + - name: Upload SARIF to Code Scanning + if: always() && hashFiles('*.sarif') != '' + uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + with: + sarif_file: cve-lite-*.sarif + category: cve-lite From b2fe0ea10dd226ec0d84dd6b80f88d1df06ca209 Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Sat, 4 Jul 2026 08:36:29 -0400 Subject: [PATCH 2/3] fix: use directory for SARIF upload to resolve glob resolution error --- .github/workflows/cve-lite.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cve-lite.yml b/.github/workflows/cve-lite.yml index a5e7c7a35..a330e48f9 100644 --- a/.github/workflows/cve-lite.yml +++ b/.github/workflows/cve-lite.yml @@ -29,8 +29,9 @@ jobs: sarif: 'true' - name: Upload SARIF to Code Scanning - if: always() && hashFiles('*.sarif') != '' + if: always() + continue-on-error: true uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 with: - sarif_file: cve-lite-*.sarif + sarif_file: . category: cve-lite From aa123525b0421d63ad2476680b4444bc1fb30b4a Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Sat, 4 Jul 2026 10:46:29 -0400 Subject: [PATCH 3/3] chore: bump cve-lite-cli action to v1.26.0 --- .github/workflows/cve-lite.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cve-lite.yml b/.github/workflows/cve-lite.yml index a330e48f9..1243ceb9d 100644 --- a/.github/workflows/cve-lite.yml +++ b/.github/workflows/cve-lite.yml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan for vulnerabilities - uses: OWASP/cve-lite-cli@2eed959b8641042472d2810444393b88d5454e62 # v1 + uses: OWASP/cve-lite-cli@99b7b0dcd4c687116890515dbfa8f955871776cc # v1 with: fail-on: high sarif: 'true'