- OWASP Dependency Check scan must be run on each opened pull request
- Push all successfully checked pull requests to main branch
- OWASP Dependency Check scan must be run on each push to main branch
- Project must use NPM or YARN
OWASP-prepared action for SCA on GitHub and automerge-action has been used.
Repository files:
- push_main.yml performs scans on each push to main branch
- pull_open.yml performs scans on each opened pull request
- pull_merge.yml automerges pull requests to main (triggered by pull_open)
Additionally branch protection has been set to only allow merge when CI has finished.
Finally auto-merge has been enabled.
NOTE: According to GitHub documentation only users with r/w permissions to repository are able to auto-merge. Public forks won't merge automagically.
A simple buggy todo app
git clone https://github.com/qxb3/todo-app.git
cd todo-app
npm install #or yarn
# Running development
npm run dev
# Building
nom run build
Just make a pr and hope for the best :)