Skip to content
πŸ”’ Security Analysis

Bump Microsoft.EntityFrameworkCore.InMemory and Microsoft.NET.Test.Sdk #81

Sign in to view logs

Bump Microsoft.EntityFrameworkCore.InMemory and Microsoft.NET.Test.Sdk

Bump Microsoft.EntityFrameworkCore.InMemory and Microsoft.NET.Test.Sdk #81

Workflow file for this run

.github/workflows/security.yml at c5333f5
name: "πŸ”’ Security Analysis"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
# Run weekly security scans
- cron: '0 6 * * 1' # Every Monday at 6 AM UTC
permissions:
actions: read
contents: read
security-events: write
jobs:
analyze:
name: Analyze Code
runs-on: ubuntu-latest
timeout-minutes: 360
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'csharp' ]
steps:
- name: πŸ”„ Checkout repository
uses: actions/checkout@v5
- name: βš™οΈ Setup .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: '8.0.x'
- name: πŸ”§ Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# Override default queries with security-focused queries
queries: security-extended,security-and-quality
- name: πŸ—οΈ Restore dependencies
run: dotnet restore
- name: πŸ”¨ Build solution
run: dotnet build --no-restore --configuration Release
- name: πŸ” Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: πŸ”„ Checkout Repository
uses: actions/checkout@v5
- name: πŸ” Dependency Review
uses: actions/dependency-review-action@v4
with:
# Fail on high/critical vulnerabilities
fail-on-severity: high
# Allow licenses (add more as needed)
allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
security-hardening:
name: Security Hardening Check
runs-on: ubuntu-latest
steps:
- name: πŸ”„ Checkout Repository
uses: actions/checkout@v5
- name: πŸ”’ Run Hardening Checklist
run: |
echo "πŸ” Checking for common security issues..."
# Check for hardcoded secrets patterns
if grep -r -E "(password|secret|key|token)\s*=\s*['\"][^'\"]*['\"]" src/ tests/ --include="*.cs" --include="*.json" --exclude-dir=bin --exclude-dir=obj; then
echo "⚠️ Warning: Potential hardcoded secrets found"
exit 1
fi
# Check for SQL injection patterns
if grep -r -E "String\.Format|string\.Format" src/ --include="*.cs" | grep -E "(SELECT|INSERT|UPDATE|DELETE)"; then
echo "⚠️ Warning: Potential SQL injection vulnerability"
exit 1
fi
# Check for insecure random number generation
if grep -r -E "new Random\(\)" src/ --include="*.cs"; then
echo "⚠️ Warning: Insecure random number generation found"
exit 1
fi
# Check for file path traversal vulnerabilities
if grep -r -E "Path\.Combine.*\.\." src/ --include="*.cs"; then
echo "⚠️ Warning: Potential path traversal vulnerability"
exit 1
fi
echo "βœ… Security hardening checks passed"
license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- name: πŸ”„ Checkout Repository
uses: actions/checkout@v5
- name: βš™οΈ Setup .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: '8.0.x'
- name: πŸ” Check License Compliance
run: |
echo "πŸ“ Analyzing package licenses..."
dotnet restore
# List all package references and their versions
echo "πŸ“¦ Project Dependencies:"
find . -name "*.csproj" -exec dotnet list {} package \;
# Note: For production use, consider using tools like:
# - dotnet-project-licenses
# - license-checker
# - FOSSA CLI
echo "ℹ️ Manual license review required for compliance verification"