Problem
Frilingo currently does not include automated dependency vulnerability scanning or static security analysis.
As the project grows and introduces more dependencies, security risks may go unnoticed without automated checks. However, security tooling should not be added blindly without understanding its purpose, configuration, and maintenance costs.
Before introducing security automation, we want to study and evaluate:
- GitHub Actions workflow structure
- npm audit vulnerability scanning
- GitHub CodeQL static analysis
- How these tools fit into the project's development workflow
Proposed Solution
After gaining a basic understanding of the related tools, add the following security checks:
- GitHub Actions workflow for automated security checks
- npm audit execution in CI
- CodeQL workflow for static code analysis
The goal is to establish a minimal security baseline for the project while keeping the workflow simple and maintainable.
Acceptance Criteria:
- A security workflow is added to
.github/workflows
npm audit runs automatically on pull requests- CodeQL analysis runs automatically on pull requests and pushes to
main
- Documentation explains what each security tool does and how to interpret failures
Alternatives
- Rely only on manual dependency updates
- Use Dependabot alerts without CI enforcement
- Adopt third-party security platforms such as Snyk in the future if project complexity increases
Additional Context
This issue is intentionally postponed until the fundamentals of GitHub Actions, npm audit, and CodeQL are understood.
The purpose of this task is not only to enable security tooling but also to learn:
- CI/CD fundamentals
- Dependency vulnerability management
- Static Application Security Testing (SAST)
- Open-source project security practices
This should be revisited after the v0.1 MVP is functional.
Problem
Frilingo currently does not include automated dependency vulnerability scanning or static security analysis.
As the project grows and introduces more dependencies, security risks may go unnoticed without automated checks. However, security tooling should not be added blindly without understanding its purpose, configuration, and maintenance costs.
Before introducing security automation, we want to study and evaluate:
Proposed Solution
After gaining a basic understanding of the related tools, add the following security checks:
The goal is to establish a minimal security baseline for the project while keeping the workflow simple and maintainable.
Acceptance Criteria:
.github/workflowsnpm auditruns automatically on pull requestsmainAlternatives
Additional Context
This issue is intentionally postponed until the fundamentals of GitHub Actions, npm audit, and CodeQL are understood.
The purpose of this task is not only to enable security tooling but also to learn:
This should be revisited after the v0.1 MVP is functional.