Merge branch 'main' into renovate/reviewdog-action-gitleaks-1.x

Author: kzndotsh

.github/workflows/ci.yml

@@ -117,7 +117,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Validate
-        uses: reviewdog/action-actionlint@v1.66.1
+        uses: reviewdog/action-actionlint@v1.67.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           level: ${{ env.REVIEWDOG_LEVEL }}
@@ -144,6 +144,7 @@ jobs:
           filter_mode: ${{ env.REVIEWDOG_FILTER_MODE }}
           fail_level: ${{ env.REVIEWDOG_FAIL_LEVEL }}
           hadolint_ignore: DL3008 DL3009 DL3007
+          hadolint_flags: '--format json'
   yaml:
     name: YAML
     runs-on: ubuntu-latest

.github/workflows/docker.yml

@@ -98,17 +98,17 @@ jobs:
           echo "✅ Docker build validation for ${{ matrix.service }} completed successfully"
           echo "🔍 Build cache updated for faster future builds"
       - name: Scan Containerfile ${{ matrix.service }}
-        uses: reviewdog/action-trivy@v1
+        uses: reviewdog/action-trivy@v1.13.10
         continue-on-error: true
         with:
           github_token: ${{ github.token }}
           trivy_command: config
           trivy_target: ./${{ matrix.service == 'unrealircd-webpanel' && 'web/webpanel/Containerfile' || format('{0}/Containerfile', matrix.service) }}
-          trivy_version: v0.63.0
           level: warning
           reporter: github-pr-review
           tool_name: trivy-dockerfile-${{ matrix.service }}
           filter_mode: added
+          fail_level: none
           trivy_flags: --severity HIGH,CRITICAL
   build:
     name: Build & Push
@@ -174,17 +174,17 @@ jobs:
             BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
       - name: Scan Final Image ${{ matrix.service }}
         if: always()
-        uses: reviewdog/action-trivy@v1
+        uses: reviewdog/action-trivy@v1.13.10
         continue-on-error: true
         with:
           github_token: ${{ github.token }}
           trivy_command: image
           trivy_target: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
-          trivy_version: v0.63.0
           level: warning
           reporter: github-pr-review
           tool_name: trivy-final-${{ matrix.service }}
           filter_mode: nofilter
+          fail_level: none
           trivy_flags: --severity HIGH,CRITICAL --exit-code 0
   cleanup:
     name: Cleanup

.github/workflows/security.yml

@@ -64,8 +64,6 @@ jobs:
         include:
           - language: actions
             build-mode: none
-          - language: yaml
-            build-mode: none
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -119,62 +117,111 @@ jobs:
           load: true
           tags: irc-atl-chat-${{ matrix.service }}:security-scan
       - name: Scan Container Image
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'irc-atl-chat-${{ matrix.service }}:security-scan'
-          format: 'sarif'
-          output: 'trivy-results-${{ matrix.service }}.sarif'
-          severity: 'HIGH,CRITICAL'
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
-          category: trivy-${{ matrix.service }}
-      - name: Upload Results
-        if: always()
-        uses: actions/upload-artifact@v4
+        uses: reviewdog/[email protected]
         with:
-          name: trivy-results-${{ matrix.service }}
-          path: trivy-results-${{ matrix.service }}.sarif
-          retention-days: 30
-  secrets:
-    name: Secret Detection
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          trivy_command: image
+          trivy_target: 'irc-atl-chat-${{ matrix.service }}:security-scan'
+          level: warning
+          reporter: github-pr-review
+          tool_name: trivy-${{ matrix.service }}
+          filter_mode: nofilter
+          fail_level: none
+          trivy_flags: --severity HIGH,CRITICAL --exit-code 0
+  shell:
+    name: Shell Script Security
     runs-on: ubuntu-latest
     needs: [changes]
-    if: always()
+    if: (needs.changes.outputs.shell == 'true' || github.event_name == 'workflow_dispatch')
     permissions:
       contents: read
       security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Scan for Secrets
-        uses: trufflesecurity/trufflehog@main
-        with:
-          path: ./
-          base: main
-          head: HEAD
-          extra_args: --debug --only-verified
-      - name: Upload Results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: trufflehog-results
-          path: trufflehog-results.json
-          retention-days: 30
-  dependabot:
-    name: Dependabot
-    runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Auto-merge
+      - name: Shell Script Security Analysis
         run: |
-          gh pr merge --auto --merge "$PR_URL" || echo "Auto-merge failed, manual review required"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          echo "## 🔍 Shell Script Security Analysis"
+          echo ""
+          
+          # Find all shell scripts
+          SHELL_SCRIPTS=$(find . -name "*.sh" -o -name "*.bash" -o -name "*.zsh" | grep -v ".git" || echo "")
+          
+          if [ -z "$SHELL_SCRIPTS" ]; then
+            echo "No shell scripts found for analysis"
+            exit 0
+          fi
+          
+          echo "Found shell scripts:"
+          echo "$SHELL_SCRIPTS"
+          echo ""
+          
+          # Security checks for shell scripts
+          for script in $SHELL_SCRIPTS; do
+            echo "### Analyzing: $script"
+            
+            # Check for common security issues
+            echo "**Security Checks:**"
+            
+            # Check for hardcoded passwords/secrets
+            if grep -n -i "password\|secret\|key\|token" "$script" | grep -v "#.*password\|#.*secret" | grep -v "echo.*password\|echo.*secret"; then
+              echo "⚠️ Potential hardcoded credentials found"
+            else
+              echo "✅ No obvious hardcoded credentials"
+            fi
+            
+            # Check for eval usage (dangerous)
+            if grep -n "eval " "$script"; then
+              echo "⚠️ Use of 'eval' detected (security risk)"
+            else
+              echo "✅ No 'eval' usage found"
+            fi
+            
+            # Check for unquoted variables
+            if grep -n "\$[a-zA-Z_][a-zA-Z0-9_]*[^\"' ]" "$script" | grep -v "echo\|printf\|test"; then
+              echo "⚠️ Potentially unquoted variables found"
+            else
+              echo "✅ Variables appear properly quoted"
+            fi
+            
+            # Check for rm -rf patterns
+            if grep -n "rm.*-rf" "$script"; then
+              echo "⚠️ 'rm -rf' usage detected (verify paths are safe)"
+            else
+              echo "✅ No dangerous rm patterns"
+            fi
+            
+            # Check for curl/wget without SSL verification
+            if grep -n "curl.*-k\|wget.*--no-check-certificate" "$script"; then
+              echo "⚠️ SSL verification disabled in network requests"
+            else
+              echo "✅ SSL verification appears enabled"
+            fi
+            
+            echo ""
+          done
+          {
+            echo "## 🛡️ Additional Security Analysis"
+            echo ""
+            
+            # Check for dangerous file permissions
+            echo "**File Permission Analysis:**"
+            DANGEROUS_PERMS=$(find . -type f -perm /o+w -not -path "./.git/*" 2>/dev/null || echo "")
+            if [ -n "$DANGEROUS_PERMS" ]; then
+              echo "⚠️ World-writable files found:"
+              echo "$DANGEROUS_PERMS"
+            else
+              echo "✅ No world-writable files found"
+            fi
+            
+            # Check for suid/sgid files
+            SUID_FILES=$(find . -type f \( -perm -4000 -o -perm -2000 \) -not -path "./.git/*" 2>/dev/null || echo "")
+            if [ -n "$SUID_FILES" ]; then
+              echo "⚠️ SUID/SGID files found:"
+              echo "$SUID_FILES"
+            else
+              echo "✅ No SUID/SGID files found"
+            fi
+            
+            echo ""
+          } >> "$GITHUB_STEP_SUMMARY"