mirror of
https://github.com/ruvnet/RuView.git
synced 2026-07-10 01:30:01 +00:00
Some checks failed
Security Scanning / Container Security Scan (push) Has been cancelled
Security Scanning / Infrastructure Security Scan (push) Has been cancelled
Continuous Deployment / Pre-deployment Checks (push) Has been cancelled
Continuous Integration / Code Quality & Security (push) Has been cancelled
Continuous Integration / Tests (push) Has been cancelled
Continuous Integration / Tests-1 (push) Has been cancelled
Continuous Integration / Tests-2 (push) Has been cancelled
Firmware CI / Build ESP32-S3 Firmware (4mb) (push) Has been cancelled
Firmware CI / Build ESP32-S3 Firmware (8mb) (push) Has been cancelled
Continuous Deployment / Rollback Deployment (push) Has been cancelled
Continuous Deployment / Deploy to Staging (push) Has been cancelled
Continuous Deployment / Deploy to Production (push) Has been cancelled
Security Scanning / Static Application Security Testing (push) Has been cancelled
Security Scanning / Dependency Vulnerability Scan (push) Has been cancelled
Continuous Integration / Rust Workspace Tests (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / Build Espressif QEMU (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / Fuzz Testing (ADR-061 Layer 6) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / NVS Matrix Generation (push) Has been cancelled
Security Scanning / Secret Scanning (push) Has been cancelled
Security Scanning / License Compliance Scan (push) Has been cancelled
Security Scanning / Security Policy Compliance (push) Has been cancelled
Continuous Deployment / Post-deployment Monitoring (push) Has been cancelled
Continuous Deployment / Notify Deployment Status (push) Has been cancelled
Continuous Integration / Performance Tests (push) Has been cancelled
Continuous Integration / Docker Build & Test (push) Has been cancelled
Continuous Integration / API Documentation (push) Has been cancelled
Continuous Integration / Notify (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-max) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-min) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (default) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier0) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier1) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (full-adr060) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (tdm-3node) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / Swarm Test (ADR-062) (push) Has been cancelled
Security Scanning / Security Report (push) Has been cancelled
* security: pin GitHub Actions to SHAs and bump vulnerable npm deps (#442) Addresses confirmed findings from issue #442 (Pentesterra/DevGuard). GitHub Actions — pin all third-party Action references in security-scan.yml and ci.yml to verified commit SHAs (with the matching version in a trailing comment for legibility): * snyk/actions/python -> v1.0.0 * aquasecurity/trivy-action -> v0.36.0 (security-scan.yml + ci.yml) * bridgecrewio/checkov-action -> v12.1347.0 * tenable/terrascan-action -> v1.4.1 * checkmarx/kics-github-action -> v2.1.20 (the action #442 named) * trufflesecurity/trufflehog -> v3.95.2 Verification: grep -rE 'uses:.*@(main|master|latest)$' .github/workflows/ returns no matches. npm deps in ui/mobile — add `overrides` forcing patched versions of the three packages flagged by the DevGuard scanner, regenerate package-lock.json: * @xmldom/xmldom@0.8.11 -> 0.8.13 * node-forge@1.3.3 -> ^1.4.0 (closes 3 HIGH advisories) * picomatch@2.3.1 -> ^2.3.2 (transitive in jest tooling) npm audit totals: 25 -> 22 advisories (5 HIGH -> 2 HIGH). Out of scope for this PR (tracked separately): * Sensing-server unauth REST API surface — opened as #443 pending design-intent confirmation from @ruvnet. * Bearer-token-shaped string in git history — confirmed test seed per repo owner; no rotation required. Refs: #442 Co-Authored-By: claude-flow <ruv@ruv.net> * chore: add Dependabot config for github-actions and ui/mobile npm (#442) Pairs with the SHA pinning from the previous commit so the pinned versions get automated weekly bumps rather than drifting back to mutable refs over time. Scoped to the two ecosystems #442 surfaced findings in: * github-actions (root) — the supply-chain risk * npm (ui/mobile) — the @xmldom/xmldom, node-forge, picomatch advisories Other ecosystems (pip, cargo, desktop UI npm) deliberately omitted — they can be added in a separate PR if desired. Refs: #442 Co-Authored-By: claude-flow <ruv@ruv.net> * chore(dependabot): expand to pip, cargo, and desktop UI npm (#442) Broadens the Dependabot config from the initial 2 ecosystems (github-actions + ui/mobile npm) to cover all 5 package surfaces in the repo so pinned dependencies stay current across the board: + npm /v2/crates/wifi-densepose-desktop/ui (vite advisory live) + pip / (requirements.txt loose pins) + cargo /v2 (no cargo audit in CI yet) Marginal cost is zero — Dependabot only opens PRs when an upstream bump exists, and per-ecosystem pull-request limits cap the noise. Each ecosystem labelled distinctly so PRs route cleanly. Refs: #442 Co-Authored-By: claude-flow <ruv@ruv.net> --------- Co-authored-by: claude-flow <ruv@ruv.net>
58 lines
1.7 KiB
YAML
58 lines
1.7 KiB
YAML
version: 2
|
|
updates:
|
|
# Keep all third-party GitHub Actions on verified, pinned commit SHAs.
|
|
# Pairs with the SHA pinning in security-scan.yml and ci.yml so that
|
|
# future bumps stay automated and reviewable rather than drifting back
|
|
# to mutable @master / @main refs. See issue #442.
|
|
- package-ecosystem: github-actions
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 5
|
|
labels:
|
|
- dependencies
|
|
- github-actions
|
|
|
|
# Mobile app npm deps. Includes the @xmldom/xmldom, node-forge, and
|
|
# picomatch advisories from #442 plus axios and any future surface.
|
|
- package-ecosystem: npm
|
|
directory: /ui/mobile
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- dependencies
|
|
- mobile
|
|
|
|
# Desktop UI npm deps. Direct vite devDep currently has a HIGH advisory
|
|
# (dev-server-only path traversal); track future bumps automatically.
|
|
- package-ecosystem: npm
|
|
directory: /v2/crates/wifi-densepose-desktop/ui
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 5
|
|
labels:
|
|
- dependencies
|
|
- desktop
|
|
|
|
# Python deps used by v1/ and the FastAPI service. requirements.txt is
|
|
# only loosely pinned; let Dependabot surface upstream CVE bumps.
|
|
- package-ecosystem: pip
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- dependencies
|
|
- python
|
|
|
|
# Rust workspace (15+ crates). cargo audit is not currently wired into
|
|
# any workflow, so Dependabot is the primary automated bump path.
|
|
- package-ecosystem: cargo
|
|
directory: /v2
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- dependencies
|
|
- rust
|