-
-
Notifications
You must be signed in to change notification settings - Fork 0
37 lines (32 loc) · 1.72 KB
/
security-policy.yml
File metadata and controls
37 lines (32 loc) · 1.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
name: Security Policy
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Security checks
run: |
FAILED=false
# Block MD5/SHA1 for security (allow for checksums/caching)
WEAK_CRYPTO=$(grep -rE 'md5\(|sha1\(' --include="*.py" --include="*.rb" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" . 2>/dev/null | grep -v 'checksum\|cache\|test\|spec' | head -5 || true)
if [ -n "$WEAK_CRYPTO" ]; then
echo "⚠️ Weak crypto (MD5/SHA1) detected. Use SHA256+ for security:"
echo "$WEAK_CRYPTO"
fi
# Block HTTP URLs (except localhost)
HTTP_URLS=$(grep -rE 'https://[^l][^o][^c]' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v 'localhost\|127.0.0.1\|example\|test\|spec' | head -5 || true)
if [ -n "$HTTP_URLS" ]; then
echo "⚠️ HTTP URLs found. Use HTTPS:"
echo "$HTTP_URLS"
fi
# Block hardcoded secrets patterns
SECRETS=$(grep -rEi '(api_key|apikey|secret_key|password)\s*[=:]\s*["\x27][A-Za-z0-9+/=]{20,}' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.env" . 2>/dev/null | grep -v 'example\|sample\|test\|mock\|placeholder' | head -3 || true)
if [ -n "$SECRETS" ]; then
echo "❌ Potential hardcoded secrets detected!"
FAILED=true
fi
if [ "$FAILED" = true ]; then
exit 1
fi
echo "✅ Security policy check passed"