🔒 Security Audit #55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🔒 Security Audit | |
| on: | |
| schedule: | |
| # Run security audit daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| push: | |
| branches: [ master, main ] | |
| pull_request: | |
| branches: [ master, main ] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| dependency-audit: | |
| name: 🔍 Dependency Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 📥 Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: 🟢 Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20.x' | |
| cache: 'npm' | |
| - name: 📦 Install Dependencies | |
| run: npm ci | |
| - name: 🔒 NPM Security Audit | |
| run: | | |
| echo "🔒 Running comprehensive security audit..." | |
| # Run audit and capture output | |
| npm audit --audit-level=low --json > audit-report.json || true | |
| # Display human-readable results | |
| echo "📊 Security Audit Results:" | |
| npm audit --audit-level=low || true | |
| # Check for high/critical vulnerabilities | |
| HIGH_VULNS=$(cat audit-report.json | jq -r '.metadata.vulnerabilities.high // 0') | |
| CRITICAL_VULNS=$(cat audit-report.json | jq -r '.metadata.vulnerabilities.critical // 0') | |
| echo "🔢 High vulnerabilities: $HIGH_VULNS" | |
| echo "🔢 Critical vulnerabilities: $CRITICAL_VULNS" | |
| if [ "$HIGH_VULNS" -gt 0 ] || [ "$CRITICAL_VULNS" -gt 0 ]; then | |
| echo "❌ High or critical vulnerabilities found!" | |
| exit 1 | |
| else | |
| echo "✅ No high or critical vulnerabilities found" | |
| fi | |
| - name: 📋 Upload Audit Report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-audit-report | |
| path: audit-report.json | |
| retention-days: 30 | |
| license-check: | |
| name: 📜 License Compliance Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 📥 Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: 🟢 Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20.x' | |
| cache: 'npm' | |
| - name: 📦 Install Dependencies | |
| run: npm ci | |
| - name: 📜 Check Licenses | |
| run: | | |
| echo "📜 Checking dependency licenses..." | |
| # Install license checker | |
| npm install -g license-checker | |
| # Check licenses and generate report | |
| license-checker --json --out licenses.json | |
| echo "📊 License summary:" | |
| license-checker --summary | |
| # Check for problematic licenses | |
| PROBLEMATIC_LICENSES="GPL-2.0,GPL-3.0,AGPL-1.0,AGPL-3.0,LGPL-2.0,LGPL-2.1,LGPL-3.0" | |
| if license-checker --failOn "$PROBLEMATIC_LICENSES" --quiet; then | |
| echo "✅ No problematic licenses found" | |
| else | |
| echo "⚠️ Potentially problematic licenses detected" | |
| echo "Please review the license report" | |
| fi | |
| - name: 📋 Upload License Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: license-report | |
| path: licenses.json | |
| retention-days: 30 | |
| code-scanning: | |
| name: 🔎 Code Security Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 📥 Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: 🔍 Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript | |
| - name: 📦 Install Dependencies | |
| run: npm ci | |
| - name: 🔍 Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:javascript" | |
| secrets-scan: | |
| name: 🕵️ Secrets Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 📥 Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 🕵️ Run TruffleHog | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: master | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| malware-scan: | |
| name: 🦠 Malware Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 📥 Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: 🦠 Scan for Malware | |
| run: | | |
| echo "🦠 Scanning for potential malware patterns..." | |
| # Check for suspicious patterns | |
| echo "🔍 Checking for suspicious file patterns..." | |
| # Look for potentially dangerous functions | |
| if grep -r "eval\|Function\|setTimeout.*string\|setInterval.*string" . --exclude-dir=node_modules --exclude-dir=.git; then | |
| echo "⚠️ Found potentially dangerous function usage" | |
| echo "Please review the above findings" | |
| else | |
| echo "✅ No dangerous function patterns found" | |
| fi | |
| # Check for base64 encoded content that might be suspicious | |
| if grep -r "base64\|btoa\|atob" . --exclude-dir=node_modules --exclude-dir=.git; then | |
| echo "⚠️ Found base64 encoding usage" | |
| echo "Please verify this is legitimate" | |
| else | |
| echo "✅ No suspicious encoding found" | |
| fi | |
| security-report: | |
| name: 📊 Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [dependency-audit, license-check, code-scanning, secrets-scan, malware-scan] | |
| if: always() | |
| steps: | |
| - name: 📊 Generate Security Report | |
| run: | | |
| echo "# 🔒 Security Audit Summary" > security-summary.md | |
| echo "" >> security-summary.md | |
| echo "## 📅 Audit Date: $(date)" >> security-summary.md | |
| echo "" >> security-summary.md | |
| echo "## 🎯 Audit Results" >> security-summary.md | |
| echo "" >> security-summary.md | |
| # Check job results | |
| if [ "${{ needs.dependency-audit.result }}" == "success" ]; then | |
| echo "✅ **Dependency Audit**: PASSED" >> security-summary.md | |
| else | |
| echo "❌ **Dependency Audit**: FAILED" >> security-summary.md | |
| fi | |
| if [ "${{ needs.license-check.result }}" == "success" ]; then | |
| echo "✅ **License Check**: PASSED" >> security-summary.md | |
| else | |
| echo "⚠️ **License Check**: REVIEW NEEDED" >> security-summary.md | |
| fi | |
| if [ "${{ needs.code-scanning.result }}" == "success" ]; then | |
| echo "✅ **Code Scanning**: PASSED" >> security-summary.md | |
| else | |
| echo "❌ **Code Scanning**: ISSUES FOUND" >> security-summary.md | |
| fi | |
| if [ "${{ needs.secrets-scan.result }}" == "success" ]; then | |
| echo "✅ **Secrets Scan**: CLEAN" >> security-summary.md | |
| else | |
| echo "❌ **Secrets Scan**: SECRETS DETECTED" >> security-summary.md | |
| fi | |
| if [ "${{ needs.malware-scan.result }}" == "success" ]; then | |
| echo "✅ **Malware Scan**: CLEAN" >> security-summary.md | |
| else | |
| echo "⚠️ **Malware Scan**: REVIEW NEEDED" >> security-summary.md | |
| fi | |
| echo "" >> security-summary.md | |
| echo "---" >> security-summary.md | |
| echo "*Generated by GitHub Actions Security Audit*" >> security-summary.md | |
| cat security-summary.md | |
| - name: 📋 Upload Security Summary | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-summary | |
| path: security-summary.md | |
| retention-days: 90 |