Scan Dependencies in 2 Minutes
Critical vulnerabilities drop without warning. Your dependencies are your attack surface. Here's how to fix it with automated security scans.
Critical vulnerabilities drop without warning. Your dependencies are your attack surface. If you're an indie hacker shipping code without automated security scans, you're one CVE away from a bad day. Here's how to fix it in 2 minutes.
Step 1: Enable Dependabot (Takes 10 Seconds)
Go to your repo → Settings → Code Security → Turn on alerts + auto PRs.
Now GitHub will open fix PRs for you automatically. It's like you have a free security advisor nudging you.
| Feature | Description |
|---|---|
| Automatic PRs | GitHub opens pull requests with dependency updates automatically |
| Security Alerts | Get notified immediately when vulnerabilities are found |
| Zero Config | Works out of the box, no setup required |
Step 2: Add This Tiny Workflow
Create .github/workflows/security-scan.yml:
name: Security Scan
on:
push:
branches: [develop, main]
pull_request:
branches: [develop, main]
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Setup pnpm
uses: pnpm/action-setup@v2
with:
version: 8
- name: Install dependencies
run: pnpm install --no-frozen-lockfile
- name: Run pnpm audit
run: |
echo "## PNPM Audit Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
pnpm audit --audit-level=moderate 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
continue-on-error: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "table"
severity: "CRITICAL,HIGH,MEDIUM"
output: "trivy-results.txt"
continue-on-error: true
- name: Display Trivy results
if: always()
run: |
echo "## Trivy Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f trivy-results.txt ]; then
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
cat trivy-results.txt >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
else
echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
fi
- name: Install OSV Scanner
run: |
curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
chmod +x osv-scanner
- name: Run OSV Scanner
run: |
echo "## OSV Scanner Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
./osv-scanner --lockfile=pnpm-lock.yaml --format=table > osv-results.txt 2>&1 || true
if [ -f osv-results.txt ] && [ -s osv-results.txt ]; then
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
cat osv-results.txt >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
else
echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
fi
continue-on-error: true
- name: Upload scan results
if: always()
uses: actions/upload-artifact@v4
with:
name: security-scan-results
path: |
trivy-results.txt
osv-results.txt
retention-days: 30What You Get
- Runs every push on main or develop + every night at 2 AM
- 3 free scanners: pnpm audit + Trivy + Google OSV
- Results show up directly in PR checks + summary tab
- No extra tools, no paid stuff
- Works with npm/yarn if you change 3 lines
💡 Takes 2 minutes to add. Your customers will thank you when the next critical vulnerability drops.
Copy-Paste It Tonight and Sleep Better
- Create
.github/workflows/security-scan.ymlin your repository - Copy the workflow above (hit that copy button ↑)
- If using npm/yarn: change
pnpmtonpmoryarnin 3 places - Adjust
node-versionto match your project (if needed) - Commit, push, done. Check the Actions tab to see it run.
Learn More
Zero Open Ports: Secure Your VPS in 15 Minutes
Your VPS has ports exposed to the internet right now. Here's how to close every single port and still access everything using Cloudflare Tunnel.
Production n8n: Queue Workers, Metrics & Monitoring
Running n8n in production isn't just spinning up a container. You need queue workers for reliability, metrics for visibility, and monitoring to catch issues before they become problems.