fixing linting commands and making workflow ignore unpatched libraries on scanning

MmagdyHafezZ · MmagdyHafezZ · commit 7605141d9d16 · 2025-07-29T10:06:07.000-04:00
diff --git a/.audit-ci.json b/.audit-ci.json
@@ -0,0 +1,15 @@
+{
+  "moderate": true,
+  "high": true,
+  "critical": true,
+  "advisories": ["1096727"],
+  "allowlist": {
+    "1096727": {
+      "reason": "request package - SSRF vulnerability but no patch available. Used by octonode dependency.",
+      "expiry": "2025-12-31"
+    }
+  },
+  "report-type": "full",
+  "output-format": "text",
+  "skip-dev": false
+}
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -60,7 +60,7 @@ jobs:
         run: yarn install --frozen-lockfile
 
       - name: Run dependency security audit
-        run: yarn audit --groups dependencies --level moderate
+        run: yarn security:audit
 
       - name: Run detect-secrets
         run: |
@@ -90,10 +90,10 @@ jobs:
         run: yarn install --frozen-lockfile
       
       - name: Run linting for ${{ matrix.app }}
-        run: turbo run lint --filter=${{ matrix.app }}
+        run: yarn lint --filter=${{ matrix.app }} --fix
       
       - name: Run tests for ${{ matrix.app }}
-        run: turbo run test --filter=${{ matrix.app }} -- --coverage --watchAll=false
+        run: yarn test --filter=${{ matrix.app }} -- --coverage --watchAll=false
 
       - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@v4
diff --git a/package.json b/package.json
@@ -37,6 +37,8 @@
     "secrets:check": "scripts/detect-secrets.sh",
     "secrets:check:staged": "scripts/detect-secrets-staged.sh",
     "secrets:setup": "detect-secrets scan --update .secrets.baseline",
+    "security:audit": "audit-ci --config .audit-ci.json",
+    "security:audit-better": "better-npm-audit audit --level moderate",
     "seed:update": "turbo run seed:update --filter=api",
     "setup": "[ -d \"$(git rev-parse --show-toplevel)/apps/api\" ] && cd \"$(git rev-parse --show-toplevel)/apps/api\" && dotenv -e ./dev.env -- npx prisma migrate dev && npx prisma generate; cd $(git rev-parse --show-toplevel)",
     "setup:no-git": "cd ./apps/api && dotenv -e ./dev.env -- npx prisma migrate dev && npx prisma generate; cd ../../",
@@ -96,6 +98,8 @@
     "zod": "^3.23.5"
   },
   "devDependencies": {
+    "audit-ci": "^7.1.0",
+    "better-npm-audit": "^3.8.0",
     "detect-secrets": "^1.0.6",
     "dotenv-cli": "^8.0.0",
     "prettier": "^3.5.3",
