Critical vulnerabilities drop without warning. Your dependencies are your attack surface. If you're an indie hacker shipping code without automated security scans, you're one CVE away from a bad day. Here's how to fix it in 2 minutes.
Go to your repo → Settings → Code Security → Turn on alerts + auto PRs.
Now GitHub will open fix PRs for you automatically. It's like you have a free security advisor nudging you.
GitHub opens pull requests with dependency updates automatically
Get notified immediately when vulnerabilities are found
Works out of the box, no setup required
name: Security Scan
on:
push:
branches: [develop, main]
pull_request:
branches: [develop, main]
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Setup pnpm
uses: pnpm/action-setup@v2
with:
version: 8
- name: Install dependencies
run: pnpm install --no-frozen-lockfile
- name: Run pnpm audit
run: |
echo "## PNPM Audit Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
pnpm audit --audit-level=moderate 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
continue-on-error: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
severity: 'CRITICAL,HIGH,MEDIUM'
output: 'trivy-results.txt'
continue-on-error: true
- name: Display Trivy results
if: always()
run: |
echo "## Trivy Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f trivy-results.txt ]; then
echo '```' >> $GITHUB_STEP_SUMMARY
cat trivy-results.txt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
else
echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
fi
- name: Install OSV Scanner
run: |
curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
chmod +x osv-scanner
- name: Run OSV Scanner
run: |
echo "## OSV Scanner Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
./osv-scanner --lockfile=pnpm-lock.yaml --format=table > osv-results.txt 2>&1 || true
if [ -f osv-results.txt ] && [ -s osv-results.txt ]; then
echo '```' >> $GITHUB_STEP_SUMMARY
cat osv-results.txt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
else
echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
fi
continue-on-error: true
- name: Upload scan results
if: always()
uses: actions/upload-artifact@v4
with:
name: security-scan-results
path: |
trivy-results.txt
osv-results.txt
retention-days: 30💡 Takes 2 minutes to add. Your customers will thank you when the next critical vulnerability drops.
.github/workflows/security-scan.yml in your repositorypnpm to npm or yarn in 3 placesnode-version to match your project (if needed)The AI workspace built for production. Access all models, infinite canvas for complex workflows, and tools designed for real-world projects, not just code generation. Join the waitlist to get early adopter perks.