-
Notifications
You must be signed in to change notification settings - Fork 3
124 lines (101 loc) · 3.59 KB
/
Copy pathsecurity.yml
File metadata and controls
124 lines (101 loc) · 3.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
name: 🔒 Security Scan
on:
pull_request:
branches: [ main, develop ]
push:
branches: [ main, develop ]
schedule:
# Run weekly on Mondays at 00:00 UTC
- cron: '0 0 * * 1'
permissions:
contents: read
security-events: write
jobs:
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: 📥 Checkout code
uses: actions/checkout@v6
- name: 🔍 Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
npm-audit:
name: NPM Audit
runs-on: ubuntu-latest
steps:
- name: 📥 Checkout code
uses: actions/checkout@v6
- name: 📦 Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '20'
cache: 'npm'
- name: 🔒 Run npm audit
run: |
npm audit --audit-level=moderate || true
echo "⚠️ Review audit results above"
continue-on-error: true
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- name: 📥 Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: 🔍 TruffleHog Secret Scan (PR)
if: github.event_name == 'pull_request'
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.pull_request.base.sha }}
head: ${{ github.event.pull_request.head.sha }}
extra_args: --debug --only-verified
- name: 🔍 TruffleHog Secret Scan (Push)
if: github.event_name == 'push'
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.before }}
head: ${{ github.sha }}
extra_args: --debug --only-verified
- name: 🔍 TruffleHog Secret Scan (Scheduled/Full Scan)
if: github.event_name == 'schedule'
uses: trufflesecurity/trufflehog@main
with:
path: ./
extra_args: --debug --only-verified
file-check:
name: Sensitive File Check
runs-on: ubuntu-latest
steps:
- name: 📥 Checkout code
uses: actions/checkout@v6
- name: 🔍 Check for sensitive files
run: |
echo "Checking for sensitive files that should not be committed..."
# Check for actual Firebase config files (not .example files)
if [ -f "google-services.json" ] && ! [[ "google-services.json" =~ \.example ]]; then
echo "❌ ERROR: google-services.json found in repository"
exit 1
fi
if [ -f "GoogleService-Info.plist" ] && ! [[ "GoogleService-Info.plist" =~ \.example ]]; then
echo "❌ ERROR: GoogleService-Info.plist found in repository"
exit 1
fi
if find . -name "*.p8" -o -name "*.p12" -o -name "*.key" -o -name "*.pem" | grep -v node_modules | grep -q .; then
echo "❌ ERROR: Private key files found in repository"
exit 1
fi
if find . -name "*.jks" -o -name "*.keystore" | grep -v node_modules | grep -q .; then
echo "❌ ERROR: Keystore files found in repository"
exit 1
fi
if [ -f ".env" ] || [ -f ".env.local" ]; then
echo "❌ ERROR: Environment files found in repository"
exit 1
fi
echo "✅ No sensitive files detected"