worms-ctrl/.github/workflows/socket-security.yml at main · miccy/worms-ctrl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Socket Security GitHub Actions Workflow
# Runs Socket Security scans on every commit and PR
# Docs: https://docs.socket.dev/docs/socket-for-github-actions

name: Socket Security Scan

on:
  push:
    branches: ['main', 'develop', '*-dev']
  pull_request:
    types: [opened, synchronize, reopened]
  issue_comment:
    types: [created]

# Prevent concurrent runs for the same commit
concurrency:
  group: socket-scan-${{ github.ref }}-${{ github.sha }}
  cancel-in-progress: true

jobs:
  socket-security:
    name: Socket Security Analysis
    runs-on: ubuntu-latest
    permissions:
      issues: write
      contents: read
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          # For PRs, fetch one additional commit for proper diff analysis
          fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 0 }}

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install Socket CLI (Python)
        run: pip install socketsecurity --upgrade

      - name: Install Socket CLI (npm)
        run: npm install -g socket

      - name: Run Socket Security Scan
        env:
          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
          GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Check for API key
          if [ -z "$SOCKET_SECURITY_API_KEY" ]; then
            echo "::warning::SOCKET_SECURITY_API_KEY not found. Skipping Socket Security scan."
            exit 0
          fi

          # Determine PR number based on event type
          PR_NUMBER=0
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            PR_NUMBER=${{ github.event.pull_request.number }}
          elif [ "${{ github.event_name }}" == "issue_comment" ]; then
            PR_NUMBER=${{ github.event.issue.number }}
          fi

          # Run Socket CLI scan
          # The CLI automatically detects:
          # - Repository name from git
          # - Branch name from git
          # - Commit SHA from git
          # - Commit message from git
          # - Default branch status from git and GitHub environment
          # - Changed files from git commit
          socketcli \
            --target-path $GITHUB_WORKSPACE \
            --scm github \
            --pr-number $PR_NUMBER