Security Scan Dependencies in 2 Minutes
Critical vulnerabilities drop without warning. Your dependencies are your attack surface. Here's how to fix it with automated security scans.
Critical vulnerabilities drop without warning. Your dependencies are your attack surface. If you're an indie hacker shipping code without automated security scans, you're one CVE away from a bad day.
Here's how to fix it in 2 minutes.
Quick Setup
Get automated security scanning running in under 2 minutes:
Enable Dependabot
Go to your repo → Settings → Code Security → Turn on alerts + auto PRs.
GitHub will now open fix PRs for you automatically. It's like having a free security advisor working 24/7.
What you get:
| Feature | Description |
|---|---|
| Automatic PRs | GitHub opens pull requests with dependency updates automatically |
| Security Alerts | Get notified immediately when vulnerabilities are found |
| Zero Config | Works out of the box, no setup required |
Add security scan workflow
Create .github/workflows/security-scan.yml in your repository:
name: Security Scan
on:
push:
branches: [develop, main]
pull_request:
branches: [develop, main]
schedule:
- cron: "0 2 * * *" # Runs daily at 2 AM
workflow_dispatch:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: "20"
- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Install dependencies
run: pnpm install --no-frozen-lockfile
- name: Run pnpm audit
run: |
echo "## PNPM Audit Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
pnpm audit --audit-level=moderate 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
continue-on-error: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "table"
severity: "CRITICAL,HIGH,MEDIUM"
output: "trivy-results.txt"
continue-on-error: true
- name: Display Trivy results
if: always()
run: |
echo "## Trivy Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f trivy-results.txt ]; then
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
cat trivy-results.txt >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
else
echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
fi
- name: Install OSV Scanner
run: |
curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
chmod +x osv-scanner
- name: Run OSV Scanner
run: |
echo "## OSV Scanner Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
./osv-scanner --lockfile=pnpm-lock.yaml --format=table > osv-results.txt 2>&1 || true
if [ -f osv-results.txt ] && [ -s osv-results.txt ]; then
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
cat osv-results.txt >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
else
echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
fi
continue-on-error: true
- name: Upload scan results
if: always()
uses: actions/upload-artifact@v6
with:
name: security-scan-results
path: |
trivy-results.txt
osv-results.txt
retention-days: 30Customize for your project
No changes needed! The workflow above is already configured for pnpm.
Replace pnpm commands with npm:
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: |
echo "## NPM Audit Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
npm audit 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARYRemove the "Setup pnpm" step entirely.
Replace pnpm commands with yarn:
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Run yarn audit
run: |
echo "## Yarn Audit Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARY
yarn audit 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
echo '\`\`\`' >> $GITHUB_STEP_SUMMARYRemove the "Setup pnpm" step entirely.
Commit and push
git add .github/workflows/security-scan.yml
git commit -m "Add automated security scanning"
git pushCheck the Actions tab in your GitHub repository to see the workflow run!
What You Get
Once set up, your repository will have comprehensive security coverage:
Automated Scanning
- ✅ Runs on every push to main/develop branches
- ✅ Runs on all pull requests
- ✅ Runs daily at 2 AM (catches newly disclosed vulnerabilities)
- ✅ Can be triggered manually via workflow_dispatch
Triple Defense
- pnpm audit — Checks package registry for known vulnerabilities
- Trivy — Industry-standard scanner from Aqua Security
- Google OSV Scanner — Cross-references against Google's vulnerability database
Developer-Friendly Results
- Results appear directly in PR checks
- Summary tab shows formatted output
- Artifacts stored for 30 days for historical analysis
- No external dashboards needed
Zero Cost
All three scanners are completely free. No credit card, no limits, no catch.
Understanding the Scanners
Additional Resources
Want to learn more about security scanning and GitHub Actions?
GitHub Actions
Learn about GitHub's CI/CD platform and workflow automation
Trivy Documentation
Comprehensive security scanner for containers and dependencies
OSV Scanner
Google's vulnerability scanner for open source projects
💡 Takes 2 minutes to add. Your customers will thank you when the next critical vulnerability drops.