Security Scan #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| # Run weekly on Sundays at 2 AM UTC | |
| - cron: '0 2 * * 0' | |
| jobs: | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Fetch full history for comprehensive scanning | |
| - name: Scan for secrets | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| extra_args: --only-verified | |
| - name: Check for sensitive patterns | |
| run: | | |
| echo "Scanning for sensitive patterns..." | |
| # Set flags for findings | |
| FOUND_ISSUES=false | |
| # Check for hardcoded paths that might be sensitive | |
| if grep -r "/Users/[^/]*/.*" . --exclude-dir=.git --exclude="*.md" --exclude-dir=.github 2>/dev/null; then | |
| echo "⚠️ Found potential hardcoded user paths (review for sensitivity)" | |
| FOUND_ISSUES=true | |
| fi | |
| # Check for potential credentials or API keys | |
| PATTERNS=( | |
| "password[[:space:]]*=" | |
| "api[[:space:]]*key[[:space:]]*=" | |
| "secret[[:space:]]*=" | |
| "token[[:space:]]*=" | |
| "auth[[:space:]]*=" | |
| ) | |
| for pattern in "${PATTERNS[@]}"; do | |
| if grep -ri "$pattern" . --exclude-dir=.git --exclude-dir=.github --exclude="*.yml" 2>/dev/null; then | |
| echo "⚠️ Found potential credential pattern: $pattern" | |
| FOUND_ISSUES=true | |
| fi | |
| done | |
| if [[ "$FOUND_ISSUES" == "false" ]]; then | |
| echo "✅ No sensitive patterns detected" | |
| else | |
| echo "ℹ️ Manual review recommended for flagged patterns" | |
| fi | |
| permissions-check: | |
| name: Check File Permissions | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check executable permissions | |
| run: | | |
| echo "Checking file permissions..." | |
| # Scripts should be executable | |
| for script in wp-symlinks scripts/*.sh; do | |
| if [[ -f "$script" ]]; then | |
| if [[ ! -x "$script" ]]; then | |
| echo "❌ Script not executable: $script" | |
| exit 1 | |
| else | |
| echo "✅ $script is executable" | |
| fi | |
| fi | |
| done | |
| # Config files should not be executable | |
| for config in *.json *.md; do | |
| if [[ -f "$config" && -x "$config" ]]; then | |
| echo "⚠️ Config file is executable (should not be): $config" | |
| fi | |
| done |