safeinsights · battibatch · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -17,3 +17,25 @@ jobs:
               run: npm i
             - name: Run Specs
               run: npm run ci
+            - name: Run Trivy vulnerability scanner in fs mode
+              uses: aquasecurity/trivy-action@0.28.0
+              with:
+                  scan-type: 'fs'
+                  scan-ref: '.'
+                  trivy-config: trivy.yaml
+            - name: Run SonarQube SAST Scan
+              uses: SonarSource/sonarqube-scan-action@v6
+              env:
+                  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+                  SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+            # If you wish to fail your job when the Quality Gate is red, uncomment the
+            # following lines. This would typically be used to fail a deployment.
+            - name: Check SonarQube SAST Sca
+              uses: SonarSource/sonarqube-quality-gate-action@v1
+              timeout-minutes: 5
+              env:
+                  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+            - name: Typecheck
+              run: npm run typecheck
+            - name: Unit Test
+              run: npm run test