Security Scanning #44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, master, develop, 'feature/**', 'fix/**' ] | |
| pull_request: | |
| branches: [ main, master, develop ] | |
| schedule: | |
| # Run weekly on Mondays at 9 AM UTC | |
| - cron: '0 9 * * 1' | |
| workflow_dispatch: # Allow manual trigger | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| secret-scan: | |
| name: Secret Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for comprehensive scanning | |
| - name: TruffleHog Secret Scan | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| extra_args: --only-verified | |
| - name: GitGuardian Secret Scan | |
| uses: GitGuardian/ggshield-action@v1 | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| # Continue on error to show both TruffleHog and GitGuardian results | |
| continue-on-error: true | |
| - name: Detect Hardcoded Secrets | |
| run: | | |
| echo "Scanning for common secret patterns..." | |
| # Custom patterns for MakerMatrix | |
| FOUND=0 | |
| # Check for MakerMatrix API keys | |
| if git grep -E "mm_[A-Za-z0-9_-]{40,}" -- ':(exclude).github/*' ':(exclude)*.md' ':(exclude).env.example'; then | |
| echo "::error::MakerMatrix API key pattern detected!" | |
| FOUND=1 | |
| fi | |
| # Check for common secret patterns | |
| if git grep -iE "(api[_-]?key|password|secret|token|credential)[\s]*=[\s]*['\"][^'\"]{20,}" -- ':(exclude).env.example' ':(exclude)*.md' ':(exclude)tests/**'; then | |
| echo "::warning::Potential secret assignment detected!" | |
| FOUND=1 | |
| fi | |
| # Check for private keys | |
| if git grep -E "BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY" -- ':(exclude)*.md'; then | |
| echo "::error::Private key detected!" | |
| FOUND=1 | |
| fi | |
| # Check for .env files (should only be .env.example) | |
| if git ls-files | grep -E "\.env$" | grep -v "\.env\.example"; then | |
| echo "::error::.env file found in git! Should be in .gitignore" | |
| FOUND=1 | |
| fi | |
| # Check for database files and backups | |
| if git ls-files | grep -E "(\.db$|\.db\.|\.sqlite|\.backup)"; then | |
| echo "::error::Database or backup file found in git! These contain sensitive data!" | |
| FOUND=1 | |
| fi | |
| if [ $FOUND -eq 1 ]; then | |
| echo "::error::Secrets detected! See logs above." | |
| exit 1 | |
| fi | |
| echo "✓ No hardcoded secrets detected" | |
| dependency-scan: | |
| name: Dependency Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.11' | |
| - name: Install Safety | |
| run: pip install safety | |
| - name: Scan Python Dependencies | |
| run: | | |
| if [ -f requirements.txt ]; then | |
| safety check --file requirements.txt --output text | |
| fi | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| - name: Install npm dependencies | |
| working-directory: ./MakerMatrix/frontend | |
| run: npm ci | |
| - name: npm audit | |
| working-directory: ./MakerMatrix/frontend | |
| run: npm audit --audit-level=moderate | |
| continue-on-error: true | |
| code-scan: | |
| name: Static Code Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Bandit (Python Security) | |
| uses: PyCQA/bandit-action@v1 | |
| with: | |
| configfile: pyproject.toml | |
| targets: MakerMatrix | |
| continue-on-error: true | |
| - name: CodeQL Analysis | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: python, javascript | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| report: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [secret-scan, dependency-scan, code-scan] | |
| if: always() | |
| steps: | |
| - name: Summary | |
| run: | | |
| echo "# Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| Secret Scan | ${{ needs.secret-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Dependency Scan | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Code Analysis | ${{ needs.code-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ needs.secret-scan.result }}" != "success" ]; then | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "⚠️ **Secret scan failed!** Review the logs immediately." >> $GITHUB_STEP_SUMMARY | |
| fi |