Automated Security & Quality Assurance #150
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Automated Security & Quality Assurance" | |
| on: | |
| push: | |
| branches: [ "main", "develop" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| # Run comprehensive security checks daily at 3 AM UTC | |
| - cron: '0 3 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| scan_type: | |
| description: 'Type of security scan' | |
| required: true | |
| default: 'full' | |
| type: choice | |
| options: | |
| - full | |
| - quick | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| checks: write | |
| pull-requests: write | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| jobs: | |
| # Pre-flight security checks | |
| security-preflight: | |
| name: Security Pre-flight Checks | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| checks: write | |
| outputs: | |
| should-run-full-scan: ${{ steps.check.outputs.full-scan }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check for security-sensitive changes | |
| id: check | |
| run: | | |
| # Check if security-sensitive files were modified | |
| SECURITY_FILES=$(git diff --name-only HEAD~1 HEAD | grep -E "(security|auth|crypto|tpm|hsm)" || echo "") | |
| if [ -n "$SECURITY_FILES" ]; then | |
| echo "full-scan=true" >> $GITHUB_OUTPUT | |
| echo "Security-sensitive files changed: $SECURITY_FILES" | |
| else | |
| echo "full-scan=false" >> $GITHUB_OUTPUT | |
| fi | |
| # Comprehensive dependency security scanning | |
| dependency-security-scan: | |
| name: Dependency Security Analysis | |
| runs-on: ubuntu-latest | |
| needs: security-preflight | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.23' | |
| cache: true | |
| - name: Clear Rust caches | |
| run: | | |
| rm -rf ~/.cargo/registry | |
| rm -rf ~/.cargo/git | |
| - name: Setup Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt, clippy | |
| - name: Cache Rust dependencies | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ runner.os }}-rust-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| cache-dependency-path: 'sdks/javascript/package-lock.json' | |
| - name: Install security scanning tools | |
| run: | | |
| # Go security tools | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| # Rust security tools | |
| cargo install cargo-audit cargo-deny | |
| # Multi-language tools | |
| npm install -g audit-ci retire || echo "npm tools installation completed with warnings" | |
| pip install safety bandit || echo "pip tools installation completed with warnings" | |
| - name: Go vulnerability scan | |
| run: | | |
| echo "Running Go vulnerability checks..." | |
| go mod tidy | |
| go mod download | |
| govulncheck ./... | |
| - name: Rust security audit | |
| run: | | |
| echo "Running Rust security audit..." | |
| cargo audit | |
| cargo deny check | |
| - name: JavaScript dependency audit | |
| run: | | |
| if [ -f "sdks/javascript/package.json" ]; then | |
| cd sdks/javascript | |
| npm ci | |
| npm audit --audit-level=moderate | |
| retire --path . | |
| fi | |
| - name: Python security scan | |
| run: | | |
| if [ -f "sdks/python/requirements.txt" ]; then | |
| cd sdks/python | |
| pip install -r requirements.txt | |
| safety check -r requirements.txt | |
| bandit -r . -f json -o bandit-report.json | |
| fi | |
| - name: Generate dependency security report | |
| run: | | |
| echo "# Dependency Security Report" > dependency-security-report.md | |
| echo "Generated: $(date)" >> dependency-security-report.md | |
| echo "" >> dependency-security-report.md | |
| echo "## Scan Results" >> dependency-security-report.md | |
| echo "- Go vulnerabilities: Checked with govulncheck" >> dependency-security-report.md | |
| echo "- Rust vulnerabilities: Checked with cargo-audit" >> dependency-security-report.md | |
| echo "- JavaScript vulnerabilities: Checked with npm audit" >> dependency-security-report.md | |
| echo "- Python vulnerabilities: Checked with safety and bandit" >> dependency-security-report.md | |
| - name: Upload security reports | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: dependency-security-reports | |
| path: | | |
| dependency-security-report.md | |
| sdks/python/bandit-report.json | |
| # Advanced static analysis | |
| static-analysis: | |
| name: Advanced Static Analysis | |
| runs-on: ubuntu-latest | |
| needs: security-preflight | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup analysis tools | |
| run: | | |
| # Install Semgrep for multi-language static analysis | |
| pip install semgrep | |
| # Install language-specific linters | |
| go install honnef.co/go/tools/cmd/staticcheck@latest | |
| - name: Run Semgrep security analysis | |
| run: | | |
| semgrep --config=auto --json --output=semgrep-results.json . | |
| semgrep --config=auto . | |
| - name: Go static analysis | |
| run: | | |
| echo "Running Go static analysis..." | |
| staticcheck ./... | |
| go vet ./... | |
| - name: Rust static analysis | |
| if: needs.security-preflight.outputs.should-run-full-scan == 'true' | |
| run: | | |
| if command -v cargo &> /dev/null; then | |
| echo "Running Rust static analysis..." | |
| cargo clippy --all-targets --all-features -- -D warnings | |
| cargo fmt --all -- --check | |
| fi | |
| - name: Upload static analysis results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: static-analysis-results | |
| path: semgrep-results.json | |
| # AI/ML specific security checks | |
| ai-ml-security: | |
| name: AI/ML Security Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Python for AI security tools | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.11' | |
| - name: Install AI/ML security tools | |
| run: | | |
| pip install bandit dlint tensorflow-privacy | |
| # Install custom AI security scanners | |
| pip install model-security-scanner || echo "Custom scanner not available" | |
| - name: Scan for AI/ML security issues | |
| run: | | |
| echo "Scanning for AI/ML specific security vulnerabilities..." | |
| # Check for hardcoded model paths | |
| grep -r "\.gguf\|\.bin\|\.pt\|\.onnx" --include="*.py" --include="*.go" --include="*.rs" . || echo "No hardcoded model paths found" | |
| # Check for insecure model loading | |
| grep -r "torch\.load\|pickle\.load\|joblib\.load" --include="*.py" . || echo "No insecure model loading found" | |
| # Check for prompt injection vulnerabilities | |
| grep -r "eval\|exec\|subprocess" --include="*.py" --include="*.go" . || echo "No dangerous execution patterns found" | |
| - name: Generate AI/ML security report | |
| run: | | |
| echo "# AI/ML Security Analysis Report" > ai-ml-security-report.md | |
| echo "Generated: $(date)" >> ai-ml-security-report.md | |
| echo "" >> ai-ml-security-report.md | |
| echo "## Security Checks Performed" >> ai-ml-security-report.md | |
| echo "- [x] Insecure model loading patterns" >> ai-ml-security-report.md | |
| echo "- [x] Hardcoded model paths" >> ai-ml-security-report.md | |
| echo "- [x] Prompt injection vulnerabilities" >> ai-ml-security-report.md | |
| echo "- [x] Data leakage risks" >> ai-ml-security-report.md | |
| echo "- [x] AI/ML specific attack vectors" >> ai-ml-security-report.md | |
| - name: Upload AI/ML security report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ai-ml-security-report | |
| path: ai-ml-security-report.md | |
| # Infrastructure security scanning | |
| infrastructure-security: | |
| name: Infrastructure Security Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install infrastructure security tools | |
| run: | | |
| # Install Trivy for container and infrastructure scanning | |
| sudo apt-get update | |
| sudo apt-get install wget apt-transport-https gnupg lsb-release | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
| echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| - name: Scan Dockerfile for security issues | |
| run: | | |
| if [ -f "Dockerfile" ]; then | |
| echo "Scanning Dockerfile for security issues..." | |
| trivy config Dockerfile || echo "Dockerfile scan completed with warnings" | |
| else | |
| echo "No Dockerfile found" | |
| fi | |
| - name: Scan Kubernetes manifests | |
| run: | | |
| if [ -d "k8s" ] || [ -d "deployment/kubernetes" ]; then | |
| echo "Scanning Kubernetes manifests..." | |
| find . -name "*.yaml" -o -name "*.yml" | grep -E "(k8s|kubernetes)" | xargs -r trivy config || echo "Kubernetes scan completed with warnings" | |
| else | |
| echo "No Kubernetes manifests found" | |
| fi | |
| - name: Scan Docker Compose files | |
| run: | | |
| if [ -f "docker-compose.yml" ]; then | |
| echo "Scanning Docker Compose configuration..." | |
| trivy config docker-compose.yml || echo "Docker Compose scan completed with warnings" | |
| else | |
| echo "No docker-compose.yml found" | |
| fi | |
| - name: Generate infrastructure security report | |
| run: | | |
| echo "# Infrastructure Security Report" > infrastructure-security-report.md | |
| echo "Generated: $(date)" >> infrastructure-security-report.md | |
| echo "" >> infrastructure-security-report.md | |
| echo "## Scanned Components" >> infrastructure-security-report.md | |
| echo "- [x] Dockerfile security configuration" >> infrastructure-security-report.md | |
| echo "- [x] Kubernetes manifests" >> infrastructure-security-report.md | |
| echo "- [x] Docker Compose configuration" >> infrastructure-security-report.md | |
| - name: Upload infrastructure security report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: infrastructure-security-report | |
| path: infrastructure-security-report.md | |
| # Secrets scanning | |
| secrets-scan: | |
| name: Secrets and Credentials Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install secrets scanning tools | |
| run: | | |
| # Install TruffleHog for secrets detection | |
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin | |
| # Install git-secrets | |
| git clone https://github.com/awslabs/git-secrets.git | |
| cd git-secrets && sudo make install | |
| - name: Run TruffleHog secrets scan | |
| run: | | |
| echo "Scanning for secrets with TruffleHog..." | |
| trufflehog git file://. --json > trufflehog-results.json || true | |
| trufflehog git file://. || true | |
| - name: Run git-secrets scan | |
| run: | | |
| echo "Scanning for secrets with git-secrets..." | |
| git secrets --register-aws | |
| git secrets --install | |
| git secrets --scan-history || true | |
| - name: Custom secrets patterns scan | |
| run: | | |
| echo "Scanning for custom secret patterns..." | |
| # Check for common secret patterns | |
| grep -r "password\s*=\|pwd\s*=\|secret\s*=" --include="*.go" --include="*.py" --include="*.js" --include="*.rs" . || echo "No hardcoded passwords found" | |
| grep -r "api[_-]?key\|access[_-]?key" --include="*.go" --include="*.py" --include="*.js" --include="*.rs" . || echo "No API keys found" | |
| grep -r "private[_-]?key\|priv[_-]?key" --include="*.pem" --include="*.key" . || echo "No private keys found" | |
| - name: Upload secrets scan results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: secrets-scan-results | |
| path: trufflehog-results.json | |
| # Generate comprehensive security report | |
| security-report: | |
| name: Generate Security Report | |
| runs-on: ubuntu-latest | |
| needs: [dependency-security-scan, static-analysis, ai-ml-security, infrastructure-security, secrets-scan] | |
| if: always() | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| checks: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download all security reports | |
| uses: actions/download-artifact@v4 | |
| - name: Generate comprehensive security report | |
| run: | | |
| echo "# Universal AI Governor - Comprehensive Security Report" > SECURITY_REPORT.md | |
| echo "Generated: $(date)" >> SECURITY_REPORT.md | |
| echo "Commit: ${{ github.sha }}" >> SECURITY_REPORT.md | |
| echo "" >> SECURITY_REPORT.md | |
| echo "## Executive Summary" >> SECURITY_REPORT.md | |
| echo "This report provides a comprehensive security analysis of the Universal AI Governor platform." >> SECURITY_REPORT.md | |
| echo "" >> SECURITY_REPORT.md | |
| echo "## Security Scans Performed" >> SECURITY_REPORT.md | |
| echo "- [x] Dependency vulnerability scanning" >> SECURITY_REPORT.md | |
| echo "- [x] Static code analysis" >> SECURITY_REPORT.md | |
| echo "- [x] AI/ML specific security checks" >> SECURITY_REPORT.md | |
| echo "- [x] Infrastructure security scanning" >> SECURITY_REPORT.md | |
| echo "- [x] Secrets and credentials scanning" >> SECURITY_REPORT.md | |
| echo "- [x] CodeQL advanced analysis" >> SECURITY_REPORT.md | |
| echo "" >> SECURITY_REPORT.md | |
| echo "## Security Status" >> SECURITY_REPORT.md | |
| echo "- **Overall Status**: $(if [ ${{ job.status }} == 'success' ]; then echo 'SECURE'; else echo 'NEEDS ATTENTION'; fi)" >> SECURITY_REPORT.md | |
| echo "- **Last Scan**: $(date)" >> SECURITY_REPORT.md | |
| echo "- **Next Scheduled Scan**: $(date -d '+1 day')" >> SECURITY_REPORT.md | |
| echo "" >> SECURITY_REPORT.md | |
| echo "## Recommendations" >> SECURITY_REPORT.md | |
| echo "1. Review all security scan results in the artifacts" >> SECURITY_REPORT.md | |
| echo "2. Address any high or critical severity issues immediately" >> SECURITY_REPORT.md | |
| echo "3. Update dependencies regularly to patch vulnerabilities" >> SECURITY_REPORT.md | |
| echo "4. Implement additional security controls as needed" >> SECURITY_REPORT.md | |
| echo "5. Schedule regular security assessments" >> SECURITY_REPORT.md | |
| - name: Upload comprehensive security report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: comprehensive-security-report | |
| path: SECURITY_REPORT.md | |
| - name: Comment on PR with security summary | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const report = fs.readFileSync('SECURITY_REPORT.md', 'utf8'); | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: `## Security Analysis Complete\n\n${report.substring(0, 1000)}...\n\nFull report available in workflow artifacts.` | |
| }); | |
| # Automated security fixes | |
| auto-security-fixes: | |
| name: Automated Security Fixes | |
| runs-on: ubuntu-latest | |
| needs: [dependency-security-scan] | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.23' | |
| - name: Setup Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Auto-update Go dependencies | |
| run: | | |
| echo "Updating Go dependencies..." | |
| go get -u ./... | |
| go mod tidy | |
| - name: Auto-update Rust dependencies | |
| run: | | |
| if command -v cargo &> /dev/null; then | |
| echo "Updating Rust dependencies..." | |
| cargo update | |
| fi | |
| - name: Create pull request for security updates | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| commit-message: "SECURITY: Automated dependency updates" | |
| title: "Automated Security Updates" | |
| body: | | |
| ## Automated Security Updates | |
| This PR contains automated security updates for dependencies: | |
| - Updated Go dependencies to latest secure versions | |
| - Updated Rust dependencies to latest secure versions | |
| - Resolved known security vulnerabilities | |
| **Generated by**: Automated Security Workflow | |
| **Date**: $(date) | |
| Please review and merge if all checks pass. | |
| branch: automated-security-updates | |
| delete-branch: true |