oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
Files
f0c7cd321ece3f2a1b464316af65dfbdae8b4e8c
aitbc/.github/workflows/configuration-security.yml
oib f353e00172 chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements 
- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration
- Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage
- Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00

160 lines
5.5 KiB
YAML
Raw Blame History

name: Configuration Security Check
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
workflow_dispatch:
jobs:
config-security-scan:
runs-on: ubuntu-latest
name: Configuration Security Scan
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.13'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pyyaml
- name: Run Configuration Security Audit
run: |
python config/security/environment-audit.py --format json --output env-security-report.json
- name: Run Helm Values Security Audit
run: |
python config/security/helm-values-audit.py --format json --output helm-security-report.json
- name: Check for Security Issues
run: |
python -c "
import json
import sys
# Check environment security
with open('env-security-report.json') as f:
env_report = json.load(f)
# Check Helm values security
with open('helm-security-report.json') as f:
helm_report = json.load(f)
total_issues = env_report['summary']['total_issues'] + helm_report['summary']['total_issues']
critical_issues = env_report['summary']['severity_breakdown'].get('CRITICAL', 0) + helm_report['summary']['severity_breakdown'].get('CRITICAL', 0)
high_issues = env_report['summary']['severity_breakdown'].get('HIGH', 0) + helm_report['summary']['severity_breakdown'].get('HIGH', 0)
print(f'Environment Issues: {env_report[\"summary\"][\"total_issues\"]}')
print(f'Helm Values Issues: {helm_report[\"summary\"][\"total_issues\"]}')
print(f'Total Issues: {total_issues}')
print(f'Critical: {critical_issues}')
print(f'High: {high_issues}')
if critical_issues > 0:
print('❌ CRITICAL security issues found!')
sys.exit(1)
elif high_issues > 0:
print('⚠️ HIGH security issues found!')
sys.exit(1)
elif total_issues > 0:
print('⚠️ Security issues found')
sys.exit(1)
else:
print('✅ No security issues found')
"
- name: Upload Security Reports
uses: actions/upload-artifact@v3
if: always()
with:
name: configuration-security-reports
path: |
env-security-report.json
helm-security-report.json
retention-days: 30
- name: Comment PR with Security Findings
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
try {
const report = JSON.parse(fs.readFileSync('security-report.json', 'utf8'));
const summary = report.summary;
let comment = `## 🔒 Configuration Security Scan\n\n`;
comment += `**Summary**\n`;
comment += `- Files Audited: ${summary.files_audited}\n`;
comment += `- Total Issues: ${summary.total_issues}\n\n`;
if (summary.total_issues > 0) {
comment += `**Severity Breakdown**\n`;
const breakdown = summary.severity_breakdown;
for (const [severity, count] of Object.entries(breakdown)) {
if (count > 0) {
comment += `- ${severity}: ${count}\n`;
}
}
comment += `\n`;
comment += `**Issues Found**\n`;
for (const [file, issues] of Object.entries(report.issues)) {
comment += `\n📁 \`${file}\`\n`;
for (const issue of issues) {
comment += `- ${issue.level}: ${issue.message}\n`;
}
}
} else {
comment += `✅ **No security issues found!**\n`;
}
comment += `\n**Recommendations**\n`;
for (const rec of report.recommendations) {
comment += `- ${rec}\n`;
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
} catch (error) {
console.log('Could not read security report:', error.message);
}
- name: Validate Production Templates
run: |
echo "Validating production template files..."
# Check that production templates don't contain actual secrets
for template in config/environments/production/*.template; do
if [ -f "$template" ]; then
echo "Checking $template..."
# Check for forbidden patterns
if grep -iE "(your-.*-here|change-this|password|secret)" "$template"; then
echo "❌ Template contains forbidden patterns: $template"
exit 1
fi
# Check that secrets use secretRef format
if grep -E "(API_KEY|SECRET|PASSWORD|TOKEN|DSN)=" "$template" | grep -v "secretRef:"; then
echo "❌ Template has non-secretRef secrets: $template"
exit 1
fi
echo "✅ $template is valid"
fi
done
Reference in New Issue View Git Blame Copy Permalink