blackroad-os/blackroad-operating-system
9
0
Fork 0
mirror of https://github.com/blackboxprogramming/BlackRoad-Operating-System.git synced 2026-03-17 04:57:15 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
387ea8f03c5d1ba37d2575d24e010af6ea93d59d
blackroad-operating-system/.github/workflows/security.yml
Workflow config file is invalid. Please check your config file: yaml: line 184: could not find expected ':'
Alexa Louise c00b6ee2a1 fix: Add Railway deployment configs and GitHub workflows 
- Add Railway configuration (railway.toml)
- Add GitHub Actions workflows
  - Railway deployment automation
  - Python/Node.js testing
  - Health check monitoring
- Add GitHub templates (CODEOWNERS, PR template)
- Add requirements files if missing
- Standardize deployment across all services

This ensures consistent deployment patterns across the entire
BlackRoad OS infrastructure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-10 15:35:09 -06:00

200 lines
7.7 KiB
YAML
Raw Blame History

# ============================================================================
# BlackRoad OS - Security Scanning Pipeline
# Copyright (c) 2025 BlackRoad OS, Inc. / Alexa Louise Amundson
# All Rights Reserved.
# ============================================================================
#
# Comprehensive security scanning workflow.
# Runs on push, PR, and weekly schedule.
# ============================================================================
name: Security
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
schedule:
- cron: '0 0 * * 0' # Weekly on Sunday midnight
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
# ─────────────────────────────────────────────────────────────────────────
# CodeQL Analysis
# ─────────────────────────────────────────────────────────────────────────
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ['python']
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
# ─────────────────────────────────────────────────────────────────────────
# Dependency Vulnerability Scan
# ─────────────────────────────────────────────────────────────────────────
dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install safety
run: pip install safety pip-audit
- name: Check for vulnerable dependencies
run: |
echo "## Dependency Vulnerability Scan" >> $GITHUB_STEP_SUMMARY
# Check requirements.txt if exists
if [ -f requirements.txt ]; then
echo "### requirements.txt" >> $GITHUB_STEP_SUMMARY
pip-audit -r requirements.txt --format markdown >> $GITHUB_STEP_SUMMARY 2>/dev/null || echo "No issues found" >> $GITHUB_STEP_SUMMARY
fi
# Check pyproject.toml if exists
if [ -f pyproject.toml ]; then
echo "### pyproject.toml" >> $GITHUB_STEP_SUMMARY
pip-audit --format markdown >> $GITHUB_STEP_SUMMARY 2>/dev/null || echo "No issues found" >> $GITHUB_STEP_SUMMARY
fi
continue-on-error: true
# ─────────────────────────────────────────────────────────────────────────
# Secret Scanning
# ─────────────────────────────────────────────────────────────────────────
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install truffleHog
run: pip install trufflehog
- name: Scan for secrets
run: |
echo "## Secret Scan Results" >> $GITHUB_STEP_SUMMARY
# Scan with truffleHog
trufflehog filesystem . --only-verified --json 2>/dev/null | head -20 > secrets.json || true
if [ -s secrets.json ]; then
echo "::warning::Potential secrets detected. Review secrets.json"
echo "Potential secrets found - review required" >> $GITHUB_STEP_SUMMARY
else
echo "No verified secrets detected" >> $GITHUB_STEP_SUMMARY
fi
continue-on-error: true
- name: Check for common secret patterns
run: |
echo "### Pattern Checks" >> $GITHUB_STEP_SUMMARY
# Check for AWS keys
if grep -rE "AKIA[0-9A-Z]{16}" --include="*.py" --include="*.sh" --include="*.yaml" . 2>/dev/null; then
echo "::warning::Potential AWS access key found"
echo "- Potential AWS key pattern detected" >> $GITHUB_STEP_SUMMARY
fi
# Check for private keys
if grep -rE "BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY" --include="*.py" --include="*.sh" --include="*.pem" . 2>/dev/null; then
echo "::warning::Private key found in repository"
echo "- Private key detected" >> $GITHUB_STEP_SUMMARY
fi
# Check for hardcoded passwords
if grep -rEi "password\s*=\s*['\"][^'\"]{8,}['\"]" --include="*.py" --include="*.sh" . 2>/dev/null; then
echo "::warning::Potential hardcoded password found"
echo "- Potential hardcoded password detected" >> $GITHUB_STEP_SUMMARY
fi
echo "Pattern scan complete" >> $GITHUB_STEP_SUMMARY
continue-on-error: true
# ─────────────────────────────────────────────────────────────────────────
# SAST (Static Application Security Testing)
# ─────────────────────────────────────────────────────────────────────────
sast:
name: SAST Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Bandit
run: pip install bandit
- name: Run Bandit security scan
run: |
echo "## Bandit Security Scan" >> $GITHUB_STEP_SUMMARY
bandit -r . -f json -o bandit-report.json --exclude './.git,./node_modules,./.venv' || true
# Convert to markdown summary
if [ -f bandit-report.json ]; then
ISSUES=$(cat bandit-report.json | python3 -c "import json,sys; d=json.load(sys.stdin); print(len(d.get('results', [])))")
echo "Found $ISSUES security issues" >> $GITHUB_STEP_SUMMARY
if [ "$ISSUES" -gt 0 ]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Top Issues" >> $GITHUB_STEP_SUMMARY
cat bandit-report.json | python3 -c "
import json, sys
d = json.load(sys.stdin)
for r in d.get('results', [])[:10]:
print(f\"- **{r['issue_severity']}**: {r['issue_text']} ({r['filename']}:{r['line_number']})\")
" >> $GITHUB_STEP_SUMMARY
fi
fi
continue-on-error: true
- name: Upload Bandit report
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-report
path: bandit-report.json
retention-days: 30
Reference in New Issue View Git Blame Copy Permalink