Workflow YAML Fixes #67
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security & Compliance | |
| # Comprehensive security scanning with configurable strictness levels | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| packages: read | |
| issues: write # For auto-issue creation | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| - cron: '0 2 * * 0' # Weekly on Sunday at 2 AM UTC | |
| workflow_dispatch: | |
| inputs: | |
| security_level: | |
| description: 'Security check strictness' | |
| required: false | |
| default: 'standard' | |
| type: choice | |
| options: | |
| - minimal | |
| - standard | |
| - strict | |
| create_issue_on_failure: | |
| description: 'Create GitHub issue if security checks fail' | |
| required: false | |
| default: true | |
| type: boolean | |
| concurrency: | |
| group: security-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| # Dependency and vulnerability scanning | |
| vulnerability-scan: | |
| name: Vulnerability & Dependency Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 | |
| - name: Setup Rust | |
| uses: ./.github/actions/setup-rust | |
| with: | |
| toolchain: stable | |
| - name: Setup Cache | |
| uses: ./.github/actions/setup-cache | |
| with: | |
| cache-key-suffix: security | |
| - name: Install security tools | |
| run: | | |
| cargo install cargo-audit cargo-deny cargo-license | |
| - name: Run cargo audit | |
| run: | | |
| echo "## 🔍 Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY | |
| cargo audit --format json | tee audit-results.json | |
| if [ $? -eq 0 ]; then | |
| echo "✅ No known vulnerabilities found" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "⚠️ Vulnerabilities detected - see details below" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| - name: Run cargo deny | |
| run: | | |
| cargo deny check | tee deny-results.txt || echo "cargo-deny found issues" | |
| cargo deny check advisories | |
| cargo deny check licenses | |
| cargo deny check bans | |
| cargo deny check sources | |
| - name: License compliance check | |
| run: | | |
| cargo license --json > licenses.json | |
| echo "## 📄 License Report" >> $GITHUB_STEP_SUMMARY | |
| if grep -q "GPL" licenses.json; then | |
| echo "::warning::GPL licensed dependencies found" | |
| echo "⚠️ GPL dependencies detected - review for compliance" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "✅ No GPL licenses found" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| - name: Upload vulnerability reports | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: vulnerability-reports | |
| path: | | |
| audit-results.json | |
| deny-results.json | |
| licenses.json | |
| # Code security analysis with configurable strictness | |
| code-security: | |
| name: Code Security Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 | |
| - name: Setup Rust | |
| uses: ./.github/actions/setup-rust | |
| with: | |
| toolchain: stable | |
| components: clippy | |
| - name: Setup Cache | |
| uses: ./.github/actions/setup-cache | |
| - name: Security-focused clippy | |
| run: | | |
| # Security-focused lints only - no code style enforcement | |
| cargo clippy --all-targets --all-features -- \ | |
| -W clippy::suspicious \ | |
| -W clippy::correctness \ | |
| -D clippy::unwrap_used \ | |
| -D clippy::expect_used \ | |
| -D clippy::panic \ | |
| -D clippy::unimplemented \ | |
| -D clippy::todo \ | |
| -A clippy::wildcard_imports \ | |
| -A clippy::unused_async \ | |
| -A clippy::missing_errors_doc \ | |
| -A clippy::unnecessary_wraps \ | |
| -A clippy::module_name_repetitions \ | |
| -A clippy::doc_markdown \ | |
| -A clippy::must_use_candidate \ | |
| -A clippy::missing_const_for_fn \ | |
| -A clippy::cast_possible_wrap \ | |
| -A clippy::cast_lossless \ | |
| -A clippy::match_same_arms \ | |
| -A clippy::uninlined_format_args \ | |
| -A clippy::unnested_or_patterns \ | |
| 2>&1 | tee clippy-security.log | |
| - name: Enhanced security checks (if strict mode) | |
| if: inputs.security_level == 'strict' | |
| run: | | |
| echo "Running enhanced security analysis..." | |
| # Additional strict checks for production | |
| cargo clippy --all-targets --all-features -- \ | |
| -D clippy::dbg_macro \ | |
| -D clippy::print_stdout \ | |
| -D clippy::print_stderr \ | |
| -W clippy::indexing_slicing \ | |
| 2>&1 | tee -a clippy-security.log | |
| - name: Upload security analysis | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: code-security-analysis | |
| path: clippy-security.log | |
| # Secrets detection | |
| secrets-scan: | |
| name: Secrets Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 | |
| - name: Scan for secrets with Gitleaks | |
| uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_CONFIG: .gitleaks.toml | |
| continue-on-error: true | |
| id: gitleaks | |
| - name: Fallback secret scanning (if Gitleaks fails) | |
| if: steps.gitleaks.outcome == 'failure' | |
| run: | | |
| echo "⚠️ Gitleaks failed, running fallback secret detection..." | |
| # Enhanced pattern matching for critical secrets | |
| SECRET_PATTERNS="sk-[a-zA-Z0-9]{32,}|api[_-]?key|secret[_-]?key|password|token" | |
| echo "🔍 Scanning for potential secrets..." | |
| if grep -r -E "$SECRET_PATTERNS" --include="*.rs" --include="*.toml" --include="*.yml" --include="*.json" . \ | |
| | grep -v ".git" \ | |
| | grep -v "/test" \ | |
| | grep -v "_test" \ | |
| | grep -v "/tests/" \ | |
| | grep -v "example" \ | |
| | grep -v "demo" \ | |
| | head -10; then | |
| echo "⚠️ Potential secrets detected - requires manual review" | |
| echo "This is a fallback scan - please investigate findings manually" | |
| else | |
| echo "✅ No obvious secrets detected in fallback scan" | |
| fi | |
| - name: TruffleHog OSS scan | |
| uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 | |
| with: | |
| path: ./ | |
| extra_args: --debug --only-verified --no-verification | |
| continue-on-error: true | |
| id: trufflehog | |
| - name: Fallback secret scanning (if TruffleHog fails) | |
| if: steps.trufflehog.outcome == 'failure' | |
| run: | | |
| echo "⚠️ TruffleHog failed, running fallback secret detection..." | |
| # Enhanced pattern matching for critical secrets | |
| SECRET_PATTERNS="sk-[a-zA-Z0-9]{32,}|api[_-]?key|secret[_-]?key|password|token" | |
| echo "🔍 Scanning for potential secrets..." | |
| if grep -r -E "$SECRET_PATTERNS" --include="*.rs" --include="*.toml" --include="*.yml" --include="*.json" . \ | |
| | grep -v ".git" \ | |
| | grep -v "/test" \ | |
| | grep -v "_test" \ | |
| | grep -v "/tests/" \ | |
| | grep -v "example" \ | |
| | grep -v "demo" \ | |
| | head -10; then | |
| echo "⚠️ Potential secrets detected - requires manual review" | |
| echo "This is a fallback scan - please investigate findings manually" | |
| else | |
| echo "✅ No obvious secrets detected in fallback scan" | |
| fi | |
| # Security report compilation and issue creation | |
| security-summary: | |
| name: Security Summary & Reporting | |
| runs-on: ubuntu-latest | |
| needs: [vulnerability-scan, code-security, secrets-scan] | |
| if: always() | |
| steps: | |
| - name: Download all reports | |
| uses: actions/download-artifact@v4 | |
| - name: Compile security summary | |
| run: | | |
| echo "## 🛡️ Security & Compliance Report" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Job Results" >> $GITHUB_STEP_SUMMARY | |
| # Check each job result | |
| if [[ "${{ needs.vulnerability-scan.result }}" == "success" ]]; then | |
| echo "✅ Vulnerability Scan: PASSED" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "❌ Vulnerability Scan: FAILED" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| if [[ "${{ needs.code-security.result }}" == "success" ]]; then | |
| echo "✅ Code Security: PASSED" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "❌ Code Security: FAILED" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| if [[ "${{ needs.secrets-scan.result }}" == "success" ]]; then | |
| echo "✅ Secrets Scan: PASSED" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "❌ Secrets Scan: FAILED" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| - name: Create security incident issue | |
| if: | | |
| (failure() || needs.vulnerability-scan.result == 'failure' || | |
| needs.code-security.result == 'failure' || needs.secrets-scan.result == 'failure') | |
| && inputs.create_issue_on_failure == true | |
| uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 | |
| with: | |
| script: | | |
| const title = `Security Check Failed - ${new Date().toISOString().split('T')[0]}`; | |
| const body = `## 🚨 Security Incident Report | |
| **Workflow Run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) | |
| **Branch:** ${{ github.ref_name }} | |
| **Commit:** ${{ github.sha }} | |
| ### Failed Checks | |
| - Vulnerability Scan: ${{ needs.vulnerability-scan.result }} | |
| - Code Security: ${{ needs.code-security.result }} | |
| - Secrets Scan: ${{ needs.secrets-scan.result }} | |
| ### Next Steps | |
| 1. Review the workflow run details and artifacts | |
| 2. Address identified security issues | |
| 3. Re-run security checks after fixes | |
| 4. Close this issue once resolved | |
| ### Security Thresholds | |
| - Critical/High vulnerabilities: 0 allowed | |
| - Exposed secrets: 0 allowed | |
| - Security-related clippy errors: 0 allowed | |
| --- | |
| *This issue was auto-generated by the security workflow.*`; | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: title, | |
| body: body, | |
| labels: ['security', 'incident', 'automated'] | |
| }); |