release: v2.7.254 agents + super-assistant honesty pass - page banner… #590
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Vibeship Security Scan | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| workflow_dispatch: | |
| inputs: | |
| full_scan: | |
| description: 'Run full deep scan' | |
| required: false | |
| default: 'false' | |
| type: boolean | |
| concurrency: | |
| group: security-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| vibeship-scan: | |
| name: Vibeship Security Scanner | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install Scanner Dependencies | |
| run: | | |
| pip install semgrep trivy-python gitleaks | |
| - name: Install Semgrep | |
| run: | | |
| pip install semgrep | |
| - name: Install Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'json' | |
| output: 'trivy-results.json' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| - name: Run Vibeship Scanner | |
| working-directory: tools/security/vibeship-scanner | |
| run: | | |
| python scanner/scan.py --repo "${{ github.workspace }}" --output ../../../scan-results.json | |
| continue-on-error: true | |
| - name: Run Semgrep with Vibeship Rules | |
| uses: returntocorp/semgrep-action@v1 | |
| with: | |
| config: tools/security/vibeship-scanner/scanner/rules | |
| continue-on-error: true | |
| - name: Upload Scan Results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-scan-results | |
| path: | | |
| scan-results.json | |
| trivy-results.json | |
| retention-days: 30 | |
| - name: Parse and Comment Results | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| let scanResults = { findings: [] }; | |
| try { | |
| scanResults = JSON.parse(fs.readFileSync('scan-results.json', 'utf8')); | |
| } catch (e) { | |
| console.log('No scan results found'); | |
| } | |
| const critical = scanResults.findings?.filter(f => f.severity === 'critical') || []; | |
| const high = scanResults.findings?.filter(f => f.severity === 'high') || []; | |
| if (critical.length > 0 || high.length > 0) { | |
| const body = `## 🔒 Vibeship Security Scan Results | |
| | Severity | Count | | |
| |----------|-------| | |
| | 🔴 Critical | ${critical.length} | | |
| | 🟠 High | ${high.length} | | |
| ${critical.length > 0 ? `### Critical Issues\n${critical.slice(0, 5).map(f => `- **${f.rule_id}**: ${f.message} (${f.file}:${f.line})`).join('\n')}` : ''} | |
| ${high.length > 0 ? `### High Issues\n${high.slice(0, 5).map(f => `- **${f.rule_id}**: ${f.message} (${f.file}:${f.line})`).join('\n')}` : ''} | |
| 📊 Full results available in workflow artifacts. | |
| `; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); | |
| } | |
| dependency-scan: | |
| name: Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: 9 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'pnpm' | |
| - run: pnpm install --frozen-lockfile | |
| - name: PNPM Audit | |
| run: pnpm audit --json > pnpm-audit.json || true | |
| - name: Upload Audit Results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dependency-audit | |
| path: pnpm-audit.json | |
| retention-days: 30 | |
| secret-scan: | |
| name: Secret Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Gitleaks Scan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| continue-on-error: true | |
| - name: TruffleHog Scan | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| continue-on-error: true |