gemini-flow/.github/workflows/security.yml at ddedf5e28d640ca06aef3a9d36bd4a0dc58aaada · clduab11/gemini-flow · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
name: Security Scanning

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  schedule:
    - cron: '0 6 * * 1' # Weekly on Monday at 6 AM UTC
  workflow_dispatch:

env:
  NODE_VERSION: '20'

concurrency:
  group: security-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  dependency-check:
    name: Dependency Security Scan
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: ${{ env.NODE_VERSION }}
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Run npm audit
      run: |
        echo "Running comprehensive npm audit..."

        # Basic audit for all levels
        npm audit --audit-level=moderate || echo "⚠️ Moderate vulnerabilities found"

        # Get detailed audit information
        npm audit --json > audit-results.json 2>/dev/null || echo "Could not generate JSON audit"

        # Check for high severity vulnerabilities
        if command -v jq >/dev/null 2>&1; then
          HIGH_VULNS=$(cat audit-results.json | jq '.metadata.vulnerabilities.high // 0' 2>/dev/null || echo "0")
          CRITICAL_VULNS=$(cat audit-results.json | jq '.metadata.vulnerabilities.critical // 0' 2>/dev/null || echo "0")
        else
          # Fallback method without jq
          HIGH_VULNS=$(npm audit --audit-level=high --json 2>/dev/null | grep -o '"high":[0-9]*' | cut -d: -f2 || echo "0")
          CRITICAL_VULNS=$(npm audit --audit-level=critical --json 2>/dev/null | grep -o '"critical":[0-9]*' | cut -d: -f2 || echo "0")
        fi

        echo "High severity vulnerabilities: $HIGH_VULNS"
        echo "Critical severity vulnerabilities: $CRITICAL_VULNS"

        # Create summary
        echo "## Security Audit Summary" > audit-summary.md
        echo "- High severity vulnerabilities: $HIGH_VULNS" >> audit-summary.md
        echo "- Critical severity vulnerabilities: $CRITICAL_VULNS" >> audit-summary.md
        echo "- Audit date: $(date)" >> audit-summary.md

        if [ "$CRITICAL_VULNS" != "0" ] && [ "$CRITICAL_VULNS" -gt 0 ] 2>/dev/null; then
          echo "❌ Critical vulnerabilities found!"
          npm audit --audit-level=critical || true
          exit 1
        elif [ "$HIGH_VULNS" != "0" ] && [ "$HIGH_VULNS" -gt 0 ] 2>/dev/null; then
          echo "⚠️ High severity vulnerabilities found!"
          npm audit --audit-level=high || true
          # Don't fail on high severity, but warn
        else
          echo "✅ No critical or high severity vulnerabilities found"
        fi

    - name: Upload audit results
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: security-audit-results
        path: |
          audit-results.json
          audit-summary.md
        retention-days: 30

    - name: Run dependency vulnerability scan
      uses: actions/dependency-review-action@v4
      if: github.event_name == 'pull_request'
      with:
        fail-on-severity: high
        allow-licenses: MIT, Apache-2.0, BSD-3-Clause, BSD-2-Clause, ISC, GPL-3.0

  codeql-analysis:
    name: CodeQL Security Analysis
    runs-on: ubuntu-latest

    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'typescript' ]

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        queries: security-extended,security-and-quality

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: ${{ env.NODE_VERSION }}
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Build project
      run: npm run build

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"

  secrets-scan:
    name: Secrets Detection
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run TruffleHog OSS
      uses: trufflesecurity/trufflehog@main
      with:
        path: ./
        base: ${{ github.event.repository.default_branch }}
        head: HEAD
        extra_args: --debug --only-verified

  license-scan:
    name: License Compliance
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: ${{ env.NODE_VERSION }}
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Install license checker
      run: npm install -g license-checker

    - name: Check licenses
      run: |
        echo "Checking licenses..."
        license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause;BSD-2-Clause;ISC;GPL-3.0;Unlicense;CC0-1.0' --excludePrivatePackages > licenses.txt

        echo "License summary:"
        cat licenses.txt

    - name: Upload license report
      uses: actions/upload-artifact@v4
      with:
        name: license-report
        path: licenses.txt
        retention-days: 30

  security-summary:
    name: Security Summary
    runs-on: ubuntu-latest
    needs: [dependency-check, codeql-analysis, secrets-scan, license-scan]
    if: always()

    steps:
    - name: Security Report Summary
      run: |
        echo "## 🔒 Security Scan Summary" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
        echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
        echo "| Dependency Scan | ${{ needs.dependency-check.result }} |" >> $GITHUB_STEP_SUMMARY
        echo "| CodeQL Analysis | ${{ needs.codeql-analysis.result }} |" >> $GITHUB_STEP_SUMMARY
        echo "| Secrets Detection | ${{ needs.secrets-scan.result }} |" >> $GITHUB_STEP_SUMMARY
        echo "| License Compliance | ${{ needs.license-scan.result }} |" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY

        if [[ "${{ needs.dependency-check.result }}" == "failure" || "${{ needs.codeql-analysis.result }}" == "failure" || "${{ needs.secrets-scan.result }}" == "failure" ]]; then
          echo "❌ Security scan failed! Please review the issues above." >> $GITHUB_STEP_SUMMARY
          exit 1
        else
          echo "✅ All security scans passed!" >> $GITHUB_STEP_SUMMARY
        fi