fix: skip proxy server startup when port 8081 is already in use #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master, develop ] | |
| jobs: | |
| secret-scan: | |
| name: Detect Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for comprehensive scanning | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install detect-secrets | |
| run: | | |
| pip install detect-secrets | |
| - name: Run detect-secrets scan | |
| run: | | |
| detect-secrets scan \ | |
| --exclude-files 'configs/.*\.json' \ | |
| --exclude-files '\.md$' \ | |
| --exclude-files 'package-lock\.json' \ | |
| --exclude-files '\.lock$' \ | |
| --baseline .secrets.baseline | |
| - name: Check for secrets in git history (last 100 commits) | |
| run: | | |
| # Scan recent git history for accidentally committed secrets | |
| git log --all --pretty=format: -p -100 | \ | |
| detect-secrets scan --stdin \ | |
| --exclude-files 'configs/.*\.json' \ | |
| --exclude-files '\.md$' || true | |
| - name: Security scan summary | |
| if: always() | |
| run: | | |
| echo "✅ Secret scanning complete" | |
| echo "If secrets were detected, the job will fail above" | |
| echo "To update baseline: detect-secrets scan --baseline .secrets.baseline" | |
| prompt-injection-check: | |
| name: Prompt Injection Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v3 | |
| - name: Install dependencies | |
| run: uv sync | |
| - name: Run prompt injection detection | |
| run: | | |
| echo "🔍 Scanning for prompt injection patterns..." | |
| echo "Includes detection for Unicode steganography attacks from Repello.ai article" | |
| echo "" | |
| # Create baseline if it doesn't exist, then check against it | |
| if [ ! -f .prompt_injections.baseline ]; then | |
| echo "📋 Creating baseline for first time..." | |
| uv run python .security/check_prompt_injections.py --update-baseline src/ tests/ *.md *.yml *.yaml *.json *.py | |
| else | |
| echo "📋 Using existing baseline..." | |
| uv run python .security/check_prompt_injections.py --baseline src/ tests/ *.yml *.yaml *.json *.py | |
| fi |