-
Notifications
You must be signed in to change notification settings - Fork 7
144 lines (124 loc) · 4.41 KB
/
security-audit.yml
File metadata and controls
144 lines (124 loc) · 4.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Security Audit
on:
pull_request:
paths:
- 'skills/**'
- 'tests/security_audit.py'
- '.github/workflows/security-audit.yml'
push:
branches:
- main
schedule:
# Run weekly on Mondays at 9am UTC
- cron: '0 9 * * 1'
workflow_dispatch:
# Allow manual runs
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Create audits directory
run: mkdir -p .claude/audits
- name: Run security audit
run: |
python3 tests/security_audit.py \
--output .claude/audits/security-report-ci.json \
--fail-on critical \
--verbose
continue-on-error: true
id: security_scan
- name: Upload security report
uses: actions/upload-artifact@v4
if: always()
with:
name: security-report
path: .claude/audits/security-report-ci.json
retention-days: 90
- name: Comment on PR with findings
if: github.event_name == 'pull_request' && steps.security_scan.outcome == 'failure'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = JSON.parse(fs.readFileSync('.claude/audits/security-report-ci.json', 'utf8'));
const summary = report.summary;
const critical = summary.critical || 0;
const high = summary.high || 0;
if (critical > 0 || high > 0) {
const body = '## ⚠️ Security Audit Findings\n\n' +
'**Summary:**\n' +
'- 🔴 CRITICAL: ' + critical + '\n' +
'- 🟠 HIGH: ' + high + '\n' +
'- 🟡 MEDIUM: ' + (summary.medium || 0) + '\n\n' +
(critical > 0 ? '### Critical Findings\n' +
(report.findings_by_severity.CRITICAL || []).slice(0, 5).map(f =>
'- **' + f.file + ':' + f.line_number + '** - ' + f.issue + '\n `' + f.evidence + '`\n → ' + f.recommendation
).join('\n\n') + '\n\n' : '') +
(high > 0 && critical === 0 ? '### High Findings\n' +
(report.findings_by_severity.HIGH || []).slice(0, 3).map(f =>
'- **' + f.file + ':' + f.line_number + '** - ' + f.issue + '\n → ' + f.recommendation
).join('\n\n') + '\n\n' : '') +
'[View full report in CI artifacts](' + context.payload.pull_request.html_url + '/checks)';
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
}
- name: Fail if critical or high findings
if: steps.security_scan.outcome == 'failure'
run: |
echo "::error::Security audit found critical or high severity issues"
exit 1
secrets-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for gitleaks
- name: Run gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
shellcheck:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
with:
scandir: './skills'
severity: warning
continue-on-error: true
python-security:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install bandit
run: pip install bandit[toml]
- name: Run bandit on Python scripts
run: |
find skills -name "*.py" -type f | xargs bandit -r -f json -o bandit-report.json || true
continue-on-error: true
- name: Upload bandit report
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-report
path: bandit-report.json
retention-days: 30