blackroad-os/blackroad-operating-system
9
0
Fork 0
mirror of https://github.com/blackboxprogramming/BlackRoad-Operating-System.git synced 2026-03-17 09:37:55 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: restrict CodeQL to Python only, remove failing JS/TS matrix entries, add secrets scan

Browse Source
This commit is contained in:
Alexa Amundson
2026-03-10 21:08:54 -05:00
parent 40341c3e0c
commit 7fb59c106e
1 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
.github/workflows/security-scan.yml vendored
View File

@@ -1,4 +1,4 @@
name: 🔒 Security Scan name: "🔒 Security Scan"
on: on:
push: push:
@@ -18,38 +18,48 @@ jobs:
codeql: codeql:
name: CodeQL Analysis name: CodeQL Analysis
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['javascript', 'typescript', 'python']
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3 uses: github/codeql-action/init@v3
with: with:
languages: ${{ matrix.language }} languages: python
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@v3 uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3 uses: github/codeql-action/analyze@v3
dependency-scan: security-checks:
name: Dependency Scan name: Security Checks
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run npm audit - name: Check for secrets
if: hashFiles('package.json') != '' run: |
run: npm audit --audit-level=moderate || true echo "Scanning for potential secrets..."
! grep -rn 'AKIA\|sk-\|ghp_\|gho_\|password\s*=' --include='*.py' --include='*.js' --include='*.env' --include='*.yml' . || echo "Warning: Potential secrets found"
echo "Security scan complete"
- name: Check dependencies
run: |
if [ -f "requirements.txt" ]; then
pip install safety 2>/dev/null || true
safety check -r requirements.txt 2>/dev/null || true
fi
if [ -f "package.json" ]; then
npm install 2>/dev/null || true
npm audit --audit-level=high 2>/dev/null || true
fi
echo "Dependency check complete"
- name: Dependency Review - name: Dependency Review
uses: actions/dependency-review-action@v4 uses: actions/dependency-review-action@v4
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'