name: CVE Scanning for Node.js

on:
  push:
    paths:
      - 'package.json'
      - 'package-lock.json'
      - 'allow-list.json'
      - '.github/workflows/cve-scanning-node.yml'

jobs:
  scan:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [16.x]
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm config set package-lock false
      # TODO - this is ignoring package-lock.json
      - run: npm install --prod
      - run: npx --yes auditjs ossi --whitelist allow-list.json