security: add supply-chain IOC scanner (#1904)

2026-05-16 01:12:13 +08:00 · 2026-05-14 21:15:35 -04:00
parent 0e66c838c7
commit 7d15a2282b
7 changed files with 562 additions and 11 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -242,11 +242,16 @@ jobs:
        with:
          node-version: '20.x'

+      - name: Install audit dependencies
+        run: npm ci --ignore-scripts
+
      - name: Run npm audit
        run: |
          npm audit signatures
          npm audit --audit-level=high
-        continue-on-error: true  # Allows PR to proceed, but marks job as failed if vulnerabilities found
+
+      - name: Run supply-chain IOC scan
+        run: npm run security:ioc-scan

  lint:
    name: Lint