AgentifUI/.github/workflows/security.yml at master · ifLab/AgentifUI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Security Checks

on:
  schedule:
    - cron: '0 2 * * 1'  # Run every Monday at 2:00 AM
  pull_request:
    branches: [ main, develop ]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  dependency-scan:
    name: Dependency Security Scan
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Setup pnpm
      uses: pnpm/action-setup@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'
        cache: 'pnpm'

    - name: Install dependencies
      run: pnpm install --frozen-lockfile

    - name: Run pnpm audit
      run: |
        echo "Checking for dependency vulnerabilities..."
        pnpm audit --audit-level=high

  code-security:
    name: Source Code Security Check
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Scan for hardcoded secrets
      run: |
        echo "Scanning for hardcoded secrets..."

        # Check for hardcoded secrets
        if grep -r -i -E "(api_key|apikey|secret|token|password)\s*[:=]\s*['\"][a-zA-Z0-9+/]{20,}['\"]" \
           --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" \
           . | grep -v node_modules | grep -v -E "(placeholder|example|test|demo|sample|mock)"; then
          echo "Hardcoded secret detected"
          exit 1
        fi

        # Check for accidentally committed .env files
        if find . -name ".env" -not -path "./node_modules/*" -not -path "./.git/*" | grep -q .; then
          echo ".env file committed to the repository"
          exit 1
        fi

        echo "No hardcoded secrets found"

  security-report:
    name: Security Report Summary
    runs-on: ubuntu-latest
    needs: [dependency-scan, code-security]
    if: always()

    steps:
    - name: Generate security report
      run: |
        echo "Security Check Report"
        echo "Generated at: $(date)"
        echo "Dependency Scan Result: ${{ needs.dependency-scan.result }}"
        echo "Code Security Check Result: ${{ needs.code-security.result }}"

        if [ "${{ needs.dependency-scan.result }}" = "success" ] && [ "${{ needs.code-security.result }}" = "success" ]; then
          echo "Overall Status: Secure"
        else
          echo "Overall Status: Issues Detected. Please check logs for details."
        fi