fix: true pagination, correct field names, and prompt accuracy #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scanning | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master, develop ] | |
| jobs: | |
| secret-scan: | |
| name: Detect Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for comprehensive scanning | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install detect-secrets | |
| run: | | |
| pip install detect-secrets | |
| - name: Run detect-secrets scan | |
| run: | | |
| detect-secrets scan \ | |
| --exclude-files 'configs/.*\.json' \ | |
| --exclude-files '\.md$' \ | |
| --exclude-files 'package-lock\.json' \ | |
| --exclude-files '\.lock$' \ | |
| --baseline .secrets.baseline | |
| - name: Check for secrets in git history (last 100 commits) | |
| run: | | |
| # Scan recent git history for accidentally committed secrets | |
| git log --all --pretty=format: -p -100 | \ | |
| detect-secrets scan --stdin \ | |
| --exclude-files 'configs/.*\.json' \ | |
| --exclude-files '\.md$' || true | |
| - name: Security scan summary | |
| if: always() | |
| run: | | |
| echo "✅ Secret scanning complete" | |
| echo "If secrets were detected, the job will fail above" | |
| echo "To update baseline: detect-secrets scan --baseline .secrets.baseline" | |
| prompt-injection-check: | |
| name: Prompt Injection Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v3 | |
| - name: Install dependencies | |
| run: uv sync | |
| - name: Run prompt injection detection (baseline mode) | |
| run: | | |
| echo "Scanning for NEW prompt injection patterns (baseline mode)..." | |
| # Run our custom prompt injection scanner with baseline | |
| if uv run python .security/check_prompt_injections.py --baseline src/ tests/ *.md *.yml *.yaml *.json; then | |
| echo "✅ No NEW prompt injection patterns detected" | |
| echo " (Known findings are tracked in .prompt_injections.baseline)" | |
| else | |
| echo "❌ NEW prompt injection patterns found!" | |
| echo "" | |
| echo "These patterns may indicate attempts to:" | |
| echo "- Override system instructions (ignore previous instructions)" | |
| echo "- Extract sensitive prompts (show me your instructions)" | |
| echo "- Change AI behavior (you are now a different AI)" | |
| echo "- Manipulate PTAB data (extract all IPR trial numbers)" | |
| echo "- Bypass USPTO API restrictions (bypass PTAB API limits)" | |
| echo "- Hide malicious content (Unicode steganography)" | |
| echo "" | |
| echo "Please review the flagged content to ensure it is not malicious." | |
| echo "" | |
| echo "If these are legitimate patterns (test cases, documentation):" | |
| echo " 1. Verify they are not malicious" | |
| echo " 2. Run: uv run python .security/check_prompt_injections.py --update-baseline src/ tests/ *.md" | |
| echo " 3. Commit the updated .prompt_injections.baseline file" | |
| exit 1 | |
| fi |