feat(vcli-go): complete strategic audit report - Scenario B recommended #347
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Security Alerts | ||
| # This workflow monitors for critical vulnerabilities (CVSS >= 9.0) | ||
| # and triggers immediate alerts | ||
| on: | ||
| # Run on every push to main (after merges) | ||
| push: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - '**/requirements*.txt' | ||
| - '**/requirements*.lock' | ||
| # Also run on schedule (twice daily) | ||
| schedule: | ||
| - cron: '0 */12 * * *' # Every 12 hours | ||
| # Allow manual trigger | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
| jobs: | ||
| critical-scan: | ||
| name: Scan for Critical Vulnerabilities | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| - name: Setup Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.11' | ||
| - name: Install safety and pip-audit | ||
| run: | | ||
| pip install --upgrade pip | ||
| pip install safety pip-audit | ||
| - name: Scan for CRITICAL vulnerabilities (CVSS >= 9.0) | ||
| id: critical-scan | ||
| working-directory: backend/services/active_immune_core | ||
| continue-on-error: true | ||
| run: | | ||
| # Run safety scan | ||
| SAFETY_OUTPUT=$(mktemp) | ||
| safety check --file requirements.txt.lock --output json > "$SAFETY_OUTPUT" 2>&1 || true | ||
| # Parse for CVSS >= 9.0 | ||
| CRITICAL_CVES=$(python3 <<'EOF' | ||
| import json | ||
| import sys | ||
| try: | ||
| with open("$SAFETY_OUTPUT", "r") as f: | ||
| # Safety JSON format varies, handle gracefully | ||
| content = f.read() | ||
| if "vulnerabilities" in content: | ||
| data = json.loads(content) | ||
| critical = [] | ||
| for vuln in data.get("vulnerabilities", []): | ||
| cvss = vuln.get("cvss", 0.0) | ||
| if cvss >= 9.0: | ||
| critical.append({ | ||
| "cve": vuln.get("cve", "UNKNOWN"), | ||
| "package": vuln.get("package", "UNKNOWN"), | ||
| "cvss": cvss | ||
| }) | ||
| if critical: | ||
| print(json.dumps(critical, indent=2)) | ||
| sys.exit(1) | ||
| except: | ||
| pass | ||
| sys.exit(0) | ||
| EOF | ||
| ) | ||
| if [ $? -eq 1 ]; then | ||
| echo "critical=true" >> $GITHUB_OUTPUT | ||
| echo "$CRITICAL_CVES" > /tmp/critical_cves.json | ||
| echo "⚠️ CRITICAL vulnerabilities detected!" | ||
| else | ||
| echo "critical=false" >> $GITHUB_OUTPUT | ||
| echo "✅ No critical vulnerabilities" | ||
| fi | ||
| - name: Create CRITICAL alert issue | ||
| if: steps.critical-scan.outputs.critical == 'true' | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| CRITICAL_DATA=$(cat /tmp/critical_cves.json || echo "[]") | ||
| gh issue create \ | ||
| --title "🔴 CRITICAL: CVSS >= 9.0 Vulnerability Detected" \ | ||
| --body "## 🚨 CRITICAL SECURITY ALERT | ||
| **Date**: $(date -u '+%Y-%m-%d %H:%M:%S UTC') | ||
| **Service**: Active Immune Core | ||
| **Severity**: CRITICAL (CVSS >= 9.0) | ||
| **Workflow**: [View Run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) | ||
| ## Vulnerabilities Detected | ||
| \`\`\`json | ||
| $CRITICAL_DATA | ||
| \`\`\` | ||
| ## 🔥 IMMEDIATE ACTION REQUIRED (24h SLA) | ||
| Follow the Emergency Response Protocol: | ||
| ### Hour 0-2: CONTAINMENT | ||
| - [ ] Code freeze on main branch | ||
| - [ ] Create incident channel: \`#incident-cve-$(date +%Y-%m-%d)\` | ||
| - [ ] Assess blast radius | ||
| - [ ] Decision: HOTFIX, ROLLBACK, or WORKAROUND | ||
| ### Hour 2-4: REMEDIATION | ||
| - [ ] Create hotfix branch | ||
| - [ ] Update affected packages | ||
| - [ ] Regenerate lock file | ||
| - [ ] Deploy to staging | ||
| ### Hour 4-6: VALIDATION | ||
| - [ ] Re-scan for CVE (confirm fix) | ||
| - [ ] Run integration tests | ||
| - [ ] Get Tech Lead + Security approval | ||
| ### Hour 6-8: DEPLOYMENT | ||
| - [ ] Phased rollout (canary → 50% → 100%) | ||
| - [ ] Monitor error rates | ||
| - [ ] Update incident log | ||
| ## References | ||
| - [DEPENDENCY_EMERGENCY_RUNBOOK.md](../blob/main/backend/services/active_immune_core/DEPENDENCY_EMERGENCY_RUNBOOK.md) | ||
| - [DEPENDENCY_POLICY.md § Emergency Response](../blob/main/backend/services/active_immune_core/DEPENDENCY_POLICY.md#emergency-response-protocol) | ||
| --- | ||
| **CRITICAL ALERT** - Auto-generated by Dependency Security Alerts workflow | ||
| **Assigned to**: @security-team @tech-lead" \ | ||
| --label "security,dependencies,critical,P0" \ | ||
| --assignee security-team,tech-lead | ||
| - name: Notify on Slack/PagerDuty (if configured) | ||
| if: steps.critical-scan.outputs.critical == 'true' | ||
| run: | | ||
| echo "🔔 Send notification to Slack/PagerDuty here" | ||
| echo "Integration: curl -X POST $SLACK_WEBHOOK ..." | ||
| # Add actual notification integration when Slack/PagerDuty is configured | ||
| summary: | ||
| name: Alert Summary | ||
| runs-on: ubuntu-latest | ||
| needs: [critical-scan] | ||
| if: always() | ||
| steps: | ||
| - name: Post summary | ||
| run: | | ||
| if [ "${{ needs.critical-scan.result }}" == "success" ]; then | ||
| echo "✅ No critical vulnerabilities detected" | ||
| else | ||
| echo "⚠️ Critical vulnerability scan completed with alerts" | ||
| echo "Security team has been notified" | ||
| fi | ||
