From 7284c9578012acab8c92bf39156cce16352eba35 Mon Sep 17 00:00:00 2001 From: schapron Date: Wed, 4 Feb 2026 15:19:16 +0100 Subject: [PATCH 1/2] ci(secu): analyse pipeline for direct nodejs dependencies installations --- .github/workflows/dependency-analysis.yml | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/dependency-analysis.yml b/.github/workflows/dependency-analysis.yml index 8f6b41e..89eeed7 100644 --- a/.github/workflows/dependency-analysis.yml +++ b/.github/workflows/dependency-analysis.yml @@ -174,6 +174,32 @@ jobs: fi echo "fail_the_build=$FAIL_THE_BUILD" >> "$GITHUB_ENV" cat $GITHUB_ENV + + ## POC list and block direct nodeJS dependencies installations + # TODO : remove this section when all workflows will be compliant + + ## Scan for direct NodeJS dependencies installations without --frozen-lockfile + echo "[INFO] - Scan for direct NodeJS dependencies installations without --frozen-lockfile" + ERROR=0 + # TODO Fill error_log with issues to add them in the PR comment + for file in $(find .github -type f -name "*.yml" -o -name "*.yaml"); do + if grep -E 'pnpm install( [^-\n][^"]*)?$' "$file" | grep -v -- '--frozen-lockfile'; then + echo "[ERROR] - Installation NodeJS sans --frozen-lockfile trouvée dans $file" + ERROR=1 + fi + if grep -E 'yarn install( [^-\n][^"]*)?$' "$file" | grep -v -- '--frozen-lockfile'; then + echo "[ERROR] - Installation NodeJS sans --frozen-lockfile trouvée dans $file" + ERROR=1 + fi + if grep -E 'npm install( [^-\n][^"]*)?$' "$file" | grep -v -- '--frozen-lockfile'; then + echo "[ERROR] - Installation NodeJS sans --frozen-lockfile trouvée dans $file" + ERROR=1 + fi + done + if [ $ERROR -eq 1 ]; then + echo "[ERROR] - Des installations NodeJS non conformes ont été trouvées." + exit 1 + fi shell: bash - name: comment_PR From ef5731db87ccc3a8e5d875731afbb4bb775152c2 Mon Sep 17 00:00:00 2001 From: schapron Date: Wed, 4 Feb 2026 15:40:07 +0100 Subject: [PATCH 2/2] translate --- .github/workflows/dependency-analysis.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dependency-analysis.yml b/.github/workflows/dependency-analysis.yml index 89eeed7..74b2531 100644 --- a/.github/workflows/dependency-analysis.yml +++ b/.github/workflows/dependency-analysis.yml @@ -176,7 +176,7 @@ jobs: cat $GITHUB_ENV ## POC list and block direct nodeJS dependencies installations - # TODO : remove this section when all workflows will be compliant + # TODO: remove this section when all workflows will be compliant ## Scan for direct NodeJS dependencies installations without --frozen-lockfile echo "[INFO] - Scan for direct NodeJS dependencies installations without --frozen-lockfile" @@ -184,20 +184,20 @@ jobs: # TODO Fill error_log with issues to add them in the PR comment for file in $(find .github -type f -name "*.yml" -o -name "*.yaml"); do if grep -E 'pnpm install( [^-\n][^"]*)?$' "$file" | grep -v -- '--frozen-lockfile'; then - echo "[ERROR] - Installation NodeJS sans --frozen-lockfile trouvée dans $file" + echo "[ERROR] - NodeJS installation without --frozen-lockfile found in $file" ERROR=1 fi if grep -E 'yarn install( [^-\n][^"]*)?$' "$file" | grep -v -- '--frozen-lockfile'; then - echo "[ERROR] - Installation NodeJS sans --frozen-lockfile trouvée dans $file" + echo "[ERROR] - NodeJS installation without --frozen-lockfile found in $file" ERROR=1 fi - if grep -E 'npm install( [^-\n][^"]*)?$' "$file" | grep -v -- '--frozen-lockfile'; then - echo "[ERROR] - Installation NodeJS sans --frozen-lockfile trouvée dans $file" + if grep -E 'npm install( [^-\n][^"]*)?$' "$file" | grep -v -- '--frozen-lockfile'; then + echo "[ERROR] - NodeJS installation without --frozen-lockfile found in $file" ERROR=1 fi done if [ $ERROR -eq 1 ]; then - echo "[ERROR] - Des installations NodeJS non conformes ont été trouvées." + echo "[ERROR] - Non-compliant NodeJS installations were found." exit 1 fi shell: bash