mirror of
https://github.com/ruvnet/RuView.git
synced 2026-05-19 16:41:16 +00:00
36e70bf229
Some checks failed
Security Scanning / Container Security Scan (push) Has been cancelled
Security Scanning / Infrastructure Security Scan (push) Has been cancelled
Continuous Deployment / Pre-deployment Checks (push) Has been cancelled
Continuous Integration / Code Quality & Security (push) Has been cancelled
Continuous Integration / Tests (push) Has been cancelled
Continuous Integration / Tests-1 (push) Has been cancelled
Continuous Integration / Tests-2 (push) Has been cancelled
Firmware CI / Build ESP32-S3 Firmware (4mb) (push) Has been cancelled
Firmware CI / Build ESP32-S3 Firmware (8mb) (push) Has been cancelled
Continuous Deployment / Rollback Deployment (push) Has been cancelled
Continuous Deployment / Deploy to Staging (push) Has been cancelled
Continuous Deployment / Deploy to Production (push) Has been cancelled
Security Scanning / Static Application Security Testing (push) Has been cancelled
Security Scanning / Dependency Vulnerability Scan (push) Has been cancelled
Continuous Integration / Rust Workspace Tests (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / Build Espressif QEMU (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / Fuzz Testing (ADR-061 Layer 6) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / NVS Matrix Generation (push) Has been cancelled
Security Scanning / Secret Scanning (push) Has been cancelled
Security Scanning / License Compliance Scan (push) Has been cancelled
Security Scanning / Security Policy Compliance (push) Has been cancelled
Continuous Deployment / Post-deployment Monitoring (push) Has been cancelled
Continuous Deployment / Notify Deployment Status (push) Has been cancelled
Continuous Integration / Performance Tests (push) Has been cancelled
Continuous Integration / Docker Build & Test (push) Has been cancelled
Continuous Integration / API Documentation (push) Has been cancelled
Continuous Integration / Notify (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-max) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-min) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (default) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier0) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier1) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (full-adr060) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / QEMU Test (tdm-3node) (push) Has been cancelled
Firmware QEMU Tests (ADR-061) / Swarm Test (ADR-062) (push) Has been cancelled
Security Scanning / Security Report (push) Has been cancelled
* security: pin GitHub Actions to SHAs and bump vulnerable npm deps (#442) Addresses confirmed findings from issue #442 (Pentesterra/DevGuard). GitHub Actions — pin all third-party Action references in security-scan.yml and ci.yml to verified commit SHAs (with the matching version in a trailing comment for legibility): * snyk/actions/python -> v1.0.0 * aquasecurity/trivy-action -> v0.36.0 (security-scan.yml + ci.yml) * bridgecrewio/checkov-action -> v12.1347.0 * tenable/terrascan-action -> v1.4.1 * checkmarx/kics-github-action -> v2.1.20 (the action #442 named) * trufflesecurity/trufflehog -> v3.95.2 Verification: grep -rE 'uses:.*@(main|master|latest)$' .github/workflows/ returns no matches. npm deps in ui/mobile — add `overrides` forcing patched versions of the three packages flagged by the DevGuard scanner, regenerate package-lock.json: * @xmldom/xmldom@0.8.11 -> 0.8.13 * node-forge@1.3.3 -> ^1.4.0 (closes 3 HIGH advisories) * picomatch@2.3.1 -> ^2.3.2 (transitive in jest tooling) npm audit totals: 25 -> 22 advisories (5 HIGH -> 2 HIGH). Out of scope for this PR (tracked separately): * Sensing-server unauth REST API surface — opened as #443 pending design-intent confirmation from @ruvnet. * Bearer-token-shaped string in git history — confirmed test seed per repo owner; no rotation required. Refs: #442 Co-Authored-By: claude-flow <ruv@ruv.net> * chore: add Dependabot config for github-actions and ui/mobile npm (#442) Pairs with the SHA pinning from the previous commit so the pinned versions get automated weekly bumps rather than drifting back to mutable refs over time. Scoped to the two ecosystems #442 surfaced findings in: * github-actions (root) — the supply-chain risk * npm (ui/mobile) — the @xmldom/xmldom, node-forge, picomatch advisories Other ecosystems (pip, cargo, desktop UI npm) deliberately omitted — they can be added in a separate PR if desired. Refs: #442 Co-Authored-By: claude-flow <ruv@ruv.net> * chore(dependabot): expand to pip, cargo, and desktop UI npm (#442) Broadens the Dependabot config from the initial 2 ecosystems (github-actions + ui/mobile npm) to cover all 5 package surfaces in the repo so pinned dependencies stay current across the board: + npm /v2/crates/wifi-densepose-desktop/ui (vite advisory live) + pip / (requirements.txt loose pins) + cargo /v2 (no cargo audit in CI yet) Marginal cost is zero — Dependabot only opens PRs when an upstream bump exists, and per-ecosystem pull-request limits cap the noise. Each ecosystem labelled distinctly so PRs route cleanly. Refs: #442 Co-Authored-By: claude-flow <ruv@ruv.net> --------- Co-authored-by: claude-flow <ruv@ruv.net>
457 lines
No EOL
14 KiB
YAML
457 lines
No EOL
14 KiB
YAML
name: Security Scanning
|
||
|
||
on:
|
||
push:
|
||
branches: [ main, develop, 'feat/*' ]
|
||
pull_request:
|
||
branches: [ main, develop ]
|
||
schedule:
|
||
# Run security scans daily at 2 AM UTC
|
||
- cron: '0 2 * * *'
|
||
workflow_dispatch:
|
||
|
||
env:
|
||
PYTHON_VERSION: '3.11'
|
||
|
||
jobs:
|
||
# Static Application Security Testing (SAST)
|
||
sast:
|
||
name: Static Application Security Testing
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
security-events: write
|
||
actions: read
|
||
contents: read
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
with:
|
||
fetch-depth: 0
|
||
|
||
- name: Set up Python
|
||
uses: actions/setup-python@v5
|
||
with:
|
||
python-version: ${{ env.PYTHON_VERSION }}
|
||
cache: 'pip'
|
||
|
||
- name: Install dependencies
|
||
run: |
|
||
python -m pip install --upgrade pip
|
||
pip install -r requirements.txt
|
||
pip install bandit semgrep safety
|
||
|
||
- name: Run Bandit security scan
|
||
run: |
|
||
bandit -r src/ -f sarif -o bandit-results.sarif
|
||
continue-on-error: true
|
||
|
||
- name: Upload Bandit results to GitHub Security
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: bandit-results.sarif
|
||
category: bandit
|
||
|
||
- name: Run Semgrep security scan
|
||
uses: returntocorp/semgrep-action@v1
|
||
with:
|
||
config: >-
|
||
p/security-audit
|
||
p/secrets
|
||
p/python
|
||
p/docker
|
||
p/kubernetes
|
||
env:
|
||
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
|
||
|
||
- name: Generate Semgrep SARIF
|
||
run: |
|
||
semgrep --config=p/security-audit --config=p/secrets --config=p/python --sarif --output=semgrep.sarif src/
|
||
continue-on-error: true
|
||
|
||
- name: Upload Semgrep results to GitHub Security
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: semgrep.sarif
|
||
category: semgrep
|
||
|
||
# Dependency vulnerability scanning
|
||
dependency-scan:
|
||
name: Dependency Vulnerability Scan
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
security-events: write
|
||
actions: read
|
||
contents: read
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Set up Python
|
||
uses: actions/setup-python@v5
|
||
with:
|
||
python-version: ${{ env.PYTHON_VERSION }}
|
||
cache: 'pip'
|
||
|
||
- name: Install dependencies
|
||
run: |
|
||
python -m pip install --upgrade pip
|
||
pip install -r requirements.txt
|
||
pip install safety pip-audit
|
||
|
||
- name: Run Safety check
|
||
run: |
|
||
safety check --json --output safety-report.json
|
||
continue-on-error: true
|
||
|
||
- name: Run pip-audit
|
||
run: |
|
||
pip-audit --format=json --output=pip-audit-report.json
|
||
continue-on-error: true
|
||
|
||
- name: Run Snyk vulnerability scan
|
||
uses: snyk/actions/python@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
|
||
env:
|
||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||
with:
|
||
args: --sarif-file-output=snyk-results.sarif
|
||
continue-on-error: true
|
||
|
||
- name: Upload Snyk results to GitHub Security
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: snyk-results.sarif
|
||
category: snyk
|
||
|
||
- name: Upload vulnerability reports
|
||
uses: actions/upload-artifact@v4
|
||
if: always()
|
||
with:
|
||
name: vulnerability-reports
|
||
path: |
|
||
safety-report.json
|
||
pip-audit-report.json
|
||
snyk-results.sarif
|
||
|
||
# Container security scanning
|
||
container-scan:
|
||
name: Container Security Scan
|
||
runs-on: ubuntu-latest
|
||
needs: []
|
||
if: github.event_name == 'push' || github.event_name == 'schedule'
|
||
permissions:
|
||
security-events: write
|
||
actions: read
|
||
contents: read
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build Docker image for scanning
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: .
|
||
target: production
|
||
load: true
|
||
tags: wifi-densepose:scan
|
||
cache-from: type=gha
|
||
cache-to: type=gha,mode=max
|
||
|
||
- name: Run Trivy vulnerability scanner
|
||
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
|
||
with:
|
||
image-ref: 'wifi-densepose:scan'
|
||
format: 'sarif'
|
||
output: 'trivy-results.sarif'
|
||
|
||
- name: Upload Trivy results to GitHub Security
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: 'trivy-results.sarif'
|
||
category: trivy
|
||
|
||
- name: Run Grype vulnerability scanner
|
||
uses: anchore/scan-action@v3
|
||
id: grype-scan
|
||
with:
|
||
image: 'wifi-densepose:scan'
|
||
fail-build: false
|
||
severity-cutoff: high
|
||
output-format: sarif
|
||
|
||
- name: Upload Grype results to GitHub Security
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
|
||
category: grype
|
||
|
||
- name: Run Docker Scout
|
||
uses: docker/scout-action@v1
|
||
if: always()
|
||
with:
|
||
command: cves
|
||
image: wifi-densepose:scan
|
||
sarif-file: scout-results.sarif
|
||
summary: true
|
||
|
||
- name: Upload Docker Scout results
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: scout-results.sarif
|
||
category: docker-scout
|
||
|
||
# Infrastructure as Code security scanning
|
||
iac-scan:
|
||
name: Infrastructure Security Scan
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
security-events: write
|
||
actions: read
|
||
contents: read
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Run Checkov IaC scan
|
||
uses: bridgecrewio/checkov-action@99bb2caf247dfd9f03cf984373bc6043d4e32ebf # v12.1347.0
|
||
with:
|
||
directory: .
|
||
framework: kubernetes,dockerfile,terraform,ansible
|
||
output_format: sarif
|
||
output_file_path: checkov-results.sarif
|
||
quiet: true
|
||
soft_fail: true
|
||
|
||
- name: Upload Checkov results to GitHub Security
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: checkov-results.sarif
|
||
category: checkov
|
||
|
||
- name: Run Terrascan IaC scan
|
||
uses: tenable/terrascan-action@3a6e87da8e244513bd77b631e624552643f794c6 # v1.4.1
|
||
with:
|
||
iac_type: 'k8s'
|
||
iac_version: 'v1'
|
||
policy_type: 'k8s'
|
||
only_warn: true
|
||
sarif_upload: true
|
||
|
||
- name: Run KICS IaC scan
|
||
uses: checkmarx/kics-github-action@05aa5eb70eede1355220f4ca5238d96b397e30a6 # v2.1.20
|
||
with:
|
||
path: '.'
|
||
output_path: kics-results
|
||
output_formats: 'sarif'
|
||
exclude_paths: '.git,node_modules'
|
||
exclude_queries: 'a7ef1e8c-fbf8-4ac1-b8c7-2c3b0e6c6c6c'
|
||
|
||
- name: Upload KICS results to GitHub Security
|
||
uses: github/codeql-action/upload-sarif@v3
|
||
if: always()
|
||
with:
|
||
sarif_file: kics-results/results.sarif
|
||
category: kics
|
||
|
||
# Secret scanning
|
||
secret-scan:
|
||
name: Secret Scanning
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
security-events: write
|
||
actions: read
|
||
contents: read
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
with:
|
||
fetch-depth: 0
|
||
|
||
- name: Run TruffleHog secret scan
|
||
uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
|
||
with:
|
||
path: ./
|
||
base: main
|
||
head: HEAD
|
||
extra_args: --debug --only-verified
|
||
|
||
- name: Run GitLeaks secret scan
|
||
uses: gitleaks/gitleaks-action@v2
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
|
||
|
||
- name: Run detect-secrets
|
||
run: |
|
||
pip install detect-secrets
|
||
detect-secrets scan --all-files --baseline .secrets.baseline
|
||
detect-secrets audit .secrets.baseline
|
||
continue-on-error: true
|
||
|
||
# License compliance scanning
|
||
license-scan:
|
||
name: License Compliance Scan
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Set up Python
|
||
uses: actions/setup-python@v5
|
||
with:
|
||
python-version: ${{ env.PYTHON_VERSION }}
|
||
cache: 'pip'
|
||
|
||
- name: Install dependencies
|
||
run: |
|
||
python -m pip install --upgrade pip
|
||
pip install -r requirements.txt
|
||
pip install pip-licenses licensecheck
|
||
|
||
- name: Run license check
|
||
run: |
|
||
pip-licenses --format=json --output-file=licenses.json
|
||
licensecheck --zero
|
||
|
||
- name: Upload license report
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: license-report
|
||
path: licenses.json
|
||
|
||
# Security policy compliance
|
||
compliance-check:
|
||
name: Security Policy Compliance
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Check security policy files
|
||
run: |
|
||
# Check for required security files
|
||
files=("SECURITY.md" ".github/SECURITY.md" "docs/SECURITY.md")
|
||
found=false
|
||
for file in "${files[@]}"; do
|
||
if [[ -f "$file" ]]; then
|
||
echo "✅ Found security policy: $file"
|
||
found=true
|
||
break
|
||
fi
|
||
done
|
||
if [[ "$found" == false ]]; then
|
||
echo "❌ No security policy found. Please create SECURITY.md"
|
||
exit 1
|
||
fi
|
||
|
||
- name: Check for security headers in code
|
||
run: |
|
||
# Check for security-related configurations
|
||
grep -r "X-Frame-Options\|X-Content-Type-Options\|X-XSS-Protection\|Content-Security-Policy" src/ || echo "⚠️ Consider adding security headers"
|
||
|
||
- name: Validate Kubernetes security contexts
|
||
run: |
|
||
# Check for security contexts in Kubernetes manifests
|
||
if [[ -d "k8s" ]]; then
|
||
if find k8s/ -name "*.yaml" -exec grep -l "securityContext" {} \; | wc -l | grep -q "^0$"; then
|
||
echo "⚠️ No security contexts found in Kubernetes manifests"
|
||
else
|
||
echo "✅ Security contexts found in Kubernetes manifests"
|
||
fi
|
||
else
|
||
echo "ℹ️ No k8s/ directory found — skipping Kubernetes security context check"
|
||
fi
|
||
|
||
# Notification and reporting
|
||
security-report:
|
||
name: Security Report
|
||
runs-on: ubuntu-latest
|
||
needs: [sast, dependency-scan, container-scan, iac-scan, secret-scan, license-scan, compliance-check]
|
||
if: always()
|
||
# Promote secret to env-scope so the gating `if:` on the Slack-notify
|
||
# step below is parseable (GitHub Actions rejects `secrets.X` in
|
||
# step-level `if:` expressions).
|
||
env:
|
||
SECURITY_SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
|
||
steps:
|
||
- name: Download all artifacts
|
||
uses: actions/download-artifact@v4
|
||
|
||
- name: Generate security summary
|
||
run: |
|
||
echo "# Security Scan Summary" > security-summary.md
|
||
echo "" >> security-summary.md
|
||
echo "## Scan Results" >> security-summary.md
|
||
echo "- SAST: ${{ needs.sast.result }}" >> security-summary.md
|
||
echo "- Dependency Scan: ${{ needs.dependency-scan.result }}" >> security-summary.md
|
||
echo "- Container Scan: ${{ needs.container-scan.result }}" >> security-summary.md
|
||
echo "- IaC Scan: ${{ needs.iac-scan.result }}" >> security-summary.md
|
||
echo "- Secret Scan: ${{ needs.secret-scan.result }}" >> security-summary.md
|
||
echo "- License Scan: ${{ needs.license-scan.result }}" >> security-summary.md
|
||
echo "- Compliance Check: ${{ needs.compliance-check.result }}" >> security-summary.md
|
||
echo "" >> security-summary.md
|
||
echo "Generated on: $(date)" >> security-summary.md
|
||
|
||
- name: Upload security summary
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: security-summary
|
||
path: security-summary.md
|
||
|
||
# GitHub Actions does not allow `secrets.X` in step-level `if:` —
|
||
# use env.X instead. Inherits SECURITY_SLACK_WEBHOOK_URL from the
|
||
# job-level env block (added below).
|
||
- name: Notify security team on critical findings
|
||
if: ${{ env.SECURITY_SLACK_WEBHOOK_URL != '' && (needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure' || needs.container-scan.result == 'failure') }}
|
||
uses: 8398a7/action-slack@v3
|
||
with:
|
||
status: failure
|
||
channel: '#security'
|
||
text: |
|
||
🚨 Critical security findings detected!
|
||
Repository: ${{ github.repository }}
|
||
Branch: ${{ github.ref }}
|
||
Workflow: ${{ github.workflow }}
|
||
Please review the security scan results immediately.
|
||
env:
|
||
SLACK_WEBHOOK_URL: ${{ env.SECURITY_SLACK_WEBHOOK_URL }}
|
||
|
||
- name: Create security issue on critical findings
|
||
if: needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure'
|
||
uses: actions/github-script@v6
|
||
with:
|
||
script: |
|
||
github.rest.issues.create({
|
||
owner: context.repo.owner,
|
||
repo: context.repo.repo,
|
||
title: `Security Scan Failures - ${new Date().toISOString()}`,
|
||
body: `
|
||
## Security Scan Failures Detected
|
||
|
||
**Workflow Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
||
**Branch:** ${{ github.ref }}
|
||
|
||
**Failed Scans:**
|
||
- SAST: ${{ needs.sast.result }}
|
||
- Dependency Scan: ${{ needs.dependency-scan.result }}
|
||
- Container Scan: ${{ needs.container-scan.result }}
|
||
|
||
**Action Required:**
|
||
- [ ] Review security scan results
|
||
- [ ] Address critical vulnerabilities
|
||
- [ ] Update dependencies if needed
|
||
- [ ] Re-run security scans
|
||
|
||
**Security Dashboard:** Check the Security tab for detailed findings.
|
||
`,
|
||
labels: ['security', 'vulnerability', 'urgent']
|
||
}) |