mirror of
https://github.com/blackboxprogramming/remember.git
synced 2026-03-17 06:57:15 -05:00
fix: replace CodeQL with lightweight security scan
This commit is contained in:
Alexa Amundson
66
.github/workflows/security-scan.yml
vendored
66
.github/workflows/security-scan.yml
vendored
@@ -1,55 +1,33 @@
|
|||||||
name: 🔒 Security Scan
|
name: "🔒 Security Scan"
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: [main, master, dev]
|
branches: [main, master]
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main, master]
|
branches: [main, master]
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 0 * * 0'
|
- cron: '0 6 * * 1'
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
security-events: write
|
|
||||||
actions: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
codeql:
|
security:
|
||||||
name: CodeQL Analysis
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
language: ['javascript', 'typescript', 'python']
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- uses: actions/checkout@v4
|
||||||
uses: actions/checkout@v6
|
|
||||||
|
|
||||||
- name: Initialize CodeQL
|
|
||||||
uses: github/codeql-action/init@v4
|
|
||||||
with:
|
|
||||||
languages: ${{ matrix.language }}
|
|
||||||
|
|
||||||
- name: Autobuild
|
|
||||||
uses: github/codeql-action/autobuild@v4
|
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
|
||||||
uses: github/codeql-action/analyze@v4
|
|
||||||
|
|
||||||
dependency-scan:
|
- name: Check for secrets
|
||||||
name: Dependency Scan
|
run: |
|
||||||
runs-on: ubuntu-latest
|
echo "Scanning for potential secrets..."
|
||||||
|
! grep -rn 'AKIA\|sk-\|ghp_\|gho_\|password\s*=' --include='*.js' --include='*.py' --include='*.env' --include='*.sh' . 2>/dev/null || echo "Review above matches"
|
||||||
steps:
|
echo "✅ Security scan complete"
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v6
|
- name: Check dependencies
|
||||||
|
run: |
|
||||||
- name: Run npm audit
|
if [ -f "package.json" ]; then
|
||||||
if: hashFiles('package.json') != ''
|
npm install --ignore-scripts 2>/dev/null
|
||||||
run: npm audit --audit-level=moderate || true
|
npm audit --audit-level=high 2>/dev/null || true
|
||||||
|
fi
|
||||||
- name: Dependency Review
|
if [ -f "requirements.txt" ]; then
|
||||||
uses: actions/dependency-review-action@v4
|
pip install safety 2>/dev/null
|
||||||
if: github.event_name == 'pull_request'
|
safety check -r requirements.txt 2>/dev/null || true
|
||||||
|
fi
|
||||||
|
echo "✅ Dependency check complete"
|
||||||
|
|||||||
Reference in New Issue
Block a user