-
Notifications
You must be signed in to change notification settings - Fork 43
155 lines (128 loc) · 4.19 KB
/
security.yml
File metadata and controls
155 lines (128 loc) · 4.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run weekly on Sundays at midnight
- cron: '0 0 * * 0'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# NPM audit for known vulnerabilities
npm-audit:
name: NPM Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "22"
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: |
echo "=== Running npm audit ==="
# Fail on high and critical vulnerabilities
npm audit --audit-level=high || {
echo ""
echo "WARNING: Vulnerabilities found. Review and fix or document exceptions."
echo "Run 'npm audit' locally for details."
exit 1
}
# Dependency review for PRs
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
# This job requires the dependency graph to be enabled in repo settings
# Make it non-blocking until that's configured
continue-on-error: true
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
# Allow specific packages if needed
# allow-licenses: MIT, Apache-2.0
# CodeQL analysis for code security
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
queries: security-extended
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript-typescript"
# Secret scanning (check for accidentally committed secrets)
secrets-scan:
name: Secret Scanning
runs-on: ubuntu-latest
# Make non-blocking - review findings manually
# Can be made blocking once allowlist is configured
continue-on-error: true
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install gitleaks
run: |
wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz
tar -xzf gitleaks_8.18.1_linux_x64.tar.gz
chmod +x gitleaks
- name: Run gitleaks
run: |
./gitleaks detect --source . --verbose --redact --config .gitleaks.toml || {
echo ""
echo "WARNING: Potential secrets detected in codebase."
echo "Review the findings above and remove or rotate any exposed secrets."
exit 1
}
# License compliance check
license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "22"
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Check licenses
run: |
echo "=== Checking dependency licenses ==="
npx license-checker --production --summary || true
# Check for problematic licenses
echo ""
echo "Checking for restricted licenses..."
RESTRICTED=$(npx license-checker --production --onlyAllow "MIT;Apache-2.0;ISC;BSD-2-Clause;BSD-3-Clause;0BSD;CC0-1.0;Unlicense;Python-2.0;BlueOak-1.0.0;CC-BY-4.0" 2>&1 || true)
if echo "$RESTRICTED" | grep -q "UNKNOWN"; then
echo "WARNING: Some packages have unknown licenses"
echo "$RESTRICTED" | grep "UNKNOWN" | head -20
fi
echo "License check complete"