OpenSPP2/.github/workflows/security.yml at 25ee155a9876a64a25db7d0d89dc010c080e3b2a · OpenSPP/OpenSPP2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
name: Security Scanning

on:
  pull_request:
    branches: ["19.0"]
  push:
    branches: ["19.0"]
  schedule:
    # Weekly full scan: Monday at 2am UTC
    - cron: "0 2 * * 1"

permissions:
  contents: read
  actions: read
  security-events: write

jobs:
  # ===========================================================================
  # Gitleaks - Secret detection
  # ===========================================================================
  gitleaks:
    name: Secret Detection (Gitleaks)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Gitleaks
        run: |
          GITLEAKS_VERSION="8.21.2"
          mkdir -p "$HOME/.local/bin"
          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
            | tar -xz -C "$HOME/.local/bin" gitleaks
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"

      - name: Run Gitleaks
        run: |
          gitleaks detect \
            --source . \
            --config .gitleaks.toml \
            --report-format sarif \
            --report-path gitleaks-results.sarif \
            --verbose

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: gitleaks-results.sarif
          category: gitleaks
        continue-on-error: true

  # ===========================================================================
  # Dependency scan - Python (pip-audit) + JavaScript (npm audit)
  # ===========================================================================
  dependency-scan:
    name: Dependency Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install pip-audit
        run: pip install 'pip-audit==2.8.0'

      - name: Combine requirements files
        run: |
          # Combine all requirements files, dedup, strip VCS/URL lines
          find . -name "requirements*.txt" -not -path "*/\.*" -not -path "*/.venv/*" \
            | xargs cat \
            | sort -u \
            | grep -v "^#" \
            | grep -v "^$" \
            | grep -v "^-e " \
            > /tmp/all-requirements.txt

          # Extract Python dependencies from Odoo __manifest__.py files.
          # These declare dependencies via external_dependencies.python
          # that are not listed in requirements.txt files.
          python3 -c "
          import ast, glob
          packages = set()
          for path in glob.glob('./**/__manifest__.py', recursive=True):
              try:
                  with open(path) as f:
                      manifest = ast.literal_eval(f.read())
                  for pkg in manifest.get('external_dependencies', {}).get('python', []):
                      packages.add(pkg)
              except Exception:
                  pass
          for pkg in sorted(packages):
              print(pkg)
          " >> /tmp/all-requirements.txt || true

          # Re-dedup after adding manifest deps
          sort -u /tmp/all-requirements.txt > /tmp/all-requirements-dedup.txt
          mv /tmp/all-requirements-dedup.txt /tmp/all-requirements.txt

          # Separate VCS/URL lines and warn about them
          grep -E "^(git\+|https?://|svn\+|hg\+)" /tmp/all-requirements.txt > /tmp/vcs-lines.txt || true
          if [ -s /tmp/vcs-lines.txt ]; then
            echo "::warning::Skipping VCS/URL dependencies (cannot be audited):"
            cat /tmp/vcs-lines.txt | while read -r line; do
              echo "::warning::  $line"
            done
          fi

          # Filter out VCS/URL lines and packages with native build deps
          grep -vE "^(git\+|https?://|svn\+|hg\+)" /tmp/all-requirements.txt \
            | grep -iv "^Fiona" \
            | grep -iv "^GDAL" \
            > /tmp/clean-requirements.txt || true

          if [ -s /tmp/vcs-lines.txt ] || grep -qiE "^(Fiona|GDAL)" /tmp/all-requirements.txt; then
            echo "::warning::Fiona/GDAL excluded (require native GDAL/libgdal-dev build dependencies)"
          fi

      - name: Run pip-audit
        run: |
          pip-audit \
            -r /tmp/clean-requirements.txt \
            --format json \
            --output pip-audit-results.json \
            2>&1 || PIP_AUDIT_EXIT=$?

          # Show human-readable output
          pip-audit \
            -r /tmp/clean-requirements.txt \
            --format columns \
            2>&1 || true

          if [ "${PIP_AUDIT_EXIT:-0}" -ne 0 ]; then
            echo "::warning::pip-audit found vulnerabilities (see output above)"
          fi

      - name: Run npm audit
        if: hashFiles('**/package-lock.json') != ''
        run: |
          for lockfile in $(find . -name "package-lock.json" -not -path "*/node_modules/*"); do
            dir=$(dirname "$lockfile")
            echo "::group::npm audit: $dir"
            cd "$dir"
            npm audit --audit-level=high
            cd "$GITHUB_WORKSPACE"
            echo "::endgroup::"
          done

  # ===========================================================================
  # Semgrep - Static analysis with custom Odoo rules
  # ===========================================================================
  semgrep:
    name: Static Analysis (Semgrep)
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    container:
      image: returntocorp/semgrep
    steps:
      - uses: actions/checkout@v4

      - name: Run Semgrep
        run: |
          semgrep scan \
            --config p/python \
            --config p/security-audit \
            --config .semgrep/ \
            --exclude scripts/ \
            --sarif \
            --output semgrep-results.sarif \
            2>&1 || SEMGREP_EXIT=$?

          # Show human-readable output
          semgrep scan \
            --config p/python \
            --config p/security-audit \
            --config .semgrep/ \
            --exclude scripts/ \
            2>&1 || true

          exit ${SEMGREP_EXIT:-0}

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep-results.sarif
          category: semgrep
        continue-on-error: true

  # ===========================================================================
  # API Auth Audit - Verify all API endpoints require authentication
  # ===========================================================================
  api-auth-audit:
    name: API Auth Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Audit API endpoint authentication
        run: python scripts/audit-api-auth.py --strict

  # ===========================================================================
  # Trivy - Container image and filesystem scan (push + schedule only)
  # ===========================================================================
  trivy:
    name: Container Scan (Trivy)
    runs-on: ubuntu-latest
    if: github.event_name == 'push' || github.event_name == 'schedule'
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scanners: misconfig,vuln
          severity: CRITICAL,HIGH
          trivyignores: .trivyignore.yaml
          format: sarif
          output: trivy-fs-results.sarif

      - name: Upload Trivy SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-fs-results.sarif
          category: trivy
        continue-on-error: true

      - name: Build image for scanning
        run: |
          docker build \
            -f docker/Dockerfile \
            --target runtime \
            -t openspp:scan \
            .

      - name: Run Trivy image scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: openspp:scan
          severity: CRITICAL,HIGH
          trivyignores: .trivyignore.yaml
          format: sarif
          output: trivy-image-results.sarif

      - name: Upload Trivy image SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-image-results.sarif
          category: trivy-image
        continue-on-error: true