Add Matt Williams and AI Automators references to comparison doc #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scanning | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - master | |
| - develop | |
| pull_request: | |
| branches: | |
| - main | |
| - master | |
| - develop | |
| jobs: | |
| secret-scan: | |
| runs-on: ubuntu-latest | |
| name: Scan for secrets | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for comprehensive scanning | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install detect-secrets | |
| run: | | |
| pip install detect-secrets | |
| - name: Scan current codebase against baseline | |
| run: | | |
| echo "🔍 Scanning current codebase..." | |
| detect-secrets scan --baseline .secrets.baseline | |
| - name: Scan git history for leaked secrets | |
| run: | | |
| echo "🔍 Scanning git history (last 100 commits)..." | |
| git log -p -100 | detect-secrets scan --baseline .secrets.baseline | |
| - name: Report results | |
| if: failure() | |
| run: | | |
| echo "❌ Secrets detected! Please review the output above." | |
| echo "If these are false positives, update .secrets.baseline:" | |
| echo " detect-secrets scan --baseline .secrets.baseline" | |
| exit 1 | |
| prompt-injection-check: | |
| name: Prompt Injection Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v3 | |
| - name: Install dependencies | |
| run: uv sync | |
| - name: Run prompt injection detection | |
| run: | | |
| shopt -s globstar nullglob | |
| if [ ! -f .prompt_injections.baseline ]; then | |
| echo "📋 Creating baseline for first time..." | |
| uv run python .security/check_prompt_injections.py --update-baseline \ | |
| src/**/*.py tests/**/*.py \ | |
| strategic-searches.yaml .github/workflows/*.yml .github/workflows/*.yaml \ | |
| pyproject.toml | |
| else | |
| echo "📋 Using existing baseline..." | |
| uv run python .security/check_prompt_injections.py --baseline \ | |
| src/**/*.py tests/**/*.py \ | |
| strategic-searches.yaml .github/workflows/*.yml .github/workflows/*.yaml \ | |
| pyproject.toml | |
| fi | |
| - name: Report results | |
| if: failure() | |
| run: | | |
| echo "❌ NEW prompt injection patterns detected!" | |
| echo "Review the findings above, then:" | |
| echo " If LEGITIMATE: update baseline locally and push:" | |
| echo " uv run python .security/check_prompt_injections.py --update-baseline src/**/*.py tests/**/*.py strategic-searches.yaml" | |
| echo " git add .prompt_injections.baseline" | |
| echo " git commit -m 'Update prompt injection baseline'" | |
| echo " If MALICIOUS: remove the offending code before committing" | |
| exit 1 |