1. OWASP Dependency Check scan must be run on each opened pull request
2. Push all successfully checked pull requests to main branch
3. OWASP Dependency Check scan must be run on each push to main branch
4. Project must use NPM or YARN

OWASP-prepared action for SCA on GitHub and automerge-action has been used.

Repository files:

• push_main.yml performs scans on each push to main branch
• pull_open.yml performs scans on each opened pull request
• pull_merge.yml automerges pull requests to main (triggered by pull_open)

Additionally branch protection has been set to only allow merge when CI has finished.

Finally auto-merge has been enabled.

NOTE: According to GitHub documentation only users with r/w permissions to repository are able to auto-merge. Public forks won't merge automagically.

A simple buggy todo app

git clone https://github.com/qxb3/todo-app.git
cd todo-app
npm install #or yarn

# Running development
npm run dev

# Building
nom run build

Just make a pr and hope for the best :)