name: Configuration Security Check on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] workflow_dispatch: jobs: config-security-scan: runs-on: ubuntu-latest name: Configuration Security Scan steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.13' - name: Install dependencies run: | python -m pip install --upgrade pip pip install pyyaml - name: Run Configuration Security Audit run: | python config/security/environment-audit.py --format json --output env-security-report.json - name: Run Helm Values Security Audit run: | python config/security/helm-values-audit.py --format json --output helm-security-report.json - name: Check for Security Issues run: | python -c " import json import sys # Check environment security with open('env-security-report.json') as f: env_report = json.load(f) # Check Helm values security with open('helm-security-report.json') as f: helm_report = json.load(f) total_issues = env_report['summary']['total_issues'] + helm_report['summary']['total_issues'] critical_issues = env_report['summary']['severity_breakdown'].get('CRITICAL', 0) + helm_report['summary']['severity_breakdown'].get('CRITICAL', 0) high_issues = env_report['summary']['severity_breakdown'].get('HIGH', 0) + helm_report['summary']['severity_breakdown'].get('HIGH', 0) print(f'Environment Issues: {env_report[\"summary\"][\"total_issues\"]}') print(f'Helm Values Issues: {helm_report[\"summary\"][\"total_issues\"]}') print(f'Total Issues: {total_issues}') print(f'Critical: {critical_issues}') print(f'High: {high_issues}') if critical_issues > 0: print('❌ CRITICAL security issues found!') sys.exit(1) elif high_issues > 0: print('⚠️ HIGH security issues found!') sys.exit(1) elif total_issues > 0: print('⚠️ Security issues found') sys.exit(1) else: print('✅ No security issues found') " - name: Upload Security Reports uses: actions/upload-artifact@v3 if: always() with: name: configuration-security-reports path: | env-security-report.json helm-security-report.json retention-days: 30 - name: Comment PR with Security Findings if: github.event_name == 'pull_request' uses: actions/github-script@v6 with: script: | const fs = require('fs'); try { const report = JSON.parse(fs.readFileSync('security-report.json', 'utf8')); const summary = report.summary; let comment = `## 🔒 Configuration Security Scan\n\n`; comment += `**Summary**\n`; comment += `- Files Audited: ${summary.files_audited}\n`; comment += `- Total Issues: ${summary.total_issues}\n\n`; if (summary.total_issues > 0) { comment += `**Severity Breakdown**\n`; const breakdown = summary.severity_breakdown; for (const [severity, count] of Object.entries(breakdown)) { if (count > 0) { comment += `- ${severity}: ${count}\n`; } } comment += `\n`; comment += `**Issues Found**\n`; for (const [file, issues] of Object.entries(report.issues)) { comment += `\n📁 \`${file}\`\n`; for (const issue of issues) { comment += `- ${issue.level}: ${issue.message}\n`; } } } else { comment += `✅ **No security issues found!**\n`; } comment += `\n**Recommendations**\n`; for (const rec of report.recommendations) { comment += `- ${rec}\n`; } github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: comment }); } catch (error) { console.log('Could not read security report:', error.message); } - name: Validate Production Templates run: | echo "Validating production template files..." # Check that production templates don't contain actual secrets for template in config/environments/production/*.template; do if [ -f "$template" ]; then echo "Checking $template..." # Check for forbidden patterns if grep -iE "(your-.*-here|change-this|password|secret)" "$template"; then echo "❌ Template contains forbidden patterns: $template" exit 1 fi # Check that secrets use secretRef format if grep -E "(API_KEY|SECRET|PASSWORD|TOKEN|DSN)=" "$template" | grep -v "secretRef:"; then echo "❌ Template has non-secretRef secrets: $template" exit 1 fi echo "✅ $template is valid" fi done