agent-orchestrator/.github/workflows/security.yml

77 lines
2.1 KiB
YAML

name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run weekly to catch new vulnerabilities
- cron: "0 8 * * 1"
workflow_dispatch: # Allow manual triggering
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
gitleaks:
name: Scan for Secrets
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for comprehensive scan
- name: Install Gitleaks
run: |
GITLEAKS_VERSION=8.24.0
GITLEAKS_SHA256=cb49b7de5ee986510fe8666ca0273a6cc15eb82571f2f14832c9e8920751f3a4
curl -sSfL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
echo "${GITLEAKS_SHA256} gitleaks.tar.gz" | sha256sum -c -
sudo tar xzf gitleaks.tar.gz -C /usr/local/bin gitleaks
rm gitleaks.tar.gz
- name: Run Gitleaks
run: gitleaks detect --source . --config .gitleaks.toml --verbose --redact
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
npm-audit:
name: NPM Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Run npm audit
run: pnpm audit --audit-level=moderate
continue-on-error: true # Don't fail build on vulnerabilities in deps
- name: Run pnpm audit (strict)
run: pnpm audit --prod --audit-level=high