Security Scan #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - '**/*.sh' | |
| - '.github/workflows/security.yml' | |
| schedule: | |
| - cron: '0 9 * * 1' # Every Monday at 9 AM UTC | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| shellcheck: | |
| name: ShellCheck Security Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install ShellCheck | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y shellcheck | |
| - name: Run ShellCheck with security focus | |
| run: | | |
| echo "🔒 Running security-focused ShellCheck analysis..." | |
| echo "" | |
| SCRIPTS=$(find . -name "*.sh" -type f) | |
| for script in $SCRIPTS; do | |
| echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | |
| echo "Analyzing: $script" | |
| echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | |
| shellcheck \ | |
| --severity=warning \ | |
| --shell=bash \ | |
| --format=gcc \ | |
| "$script" | |
| echo "" | |
| done | |
| echo "✅ Security analysis complete!" | |
| secrets: | |
| name: Secret Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Check for secrets in code | |
| run: | | |
| echo "🔍 Checking for accidentally committed secrets..." | |
| SECRETS_FOUND=0 | |
| if grep -r "GITHUB_TOKEN=[A-Za-z0-9_-]\{20,\}" . \ | |
| --exclude-dir=.git \ | |
| --exclude-dir=.github \ | |
| --exclude="*.md"; then | |
| echo "⚠️ Found potential GitHub token!" | |
| SECRETS_FOUND=1 | |
| fi | |
| if grep -r "password\s*=\s*['\"][A-Za-z0-9_-]\{8,\}['\"]" . \ | |
| --exclude-dir=.git \ | |
| --exclude-dir=.github \ | |
| --exclude="*.md"; then | |
| echo "⚠️ Found potential password!" | |
| SECRETS_FOUND=1 | |
| fi | |
| if grep -r "api[_-]key\s*=\s*['\"][A-Za-z0-9_-]\{20,\}['\"]" . \ | |
| --exclude-dir=.git \ | |
| --exclude-dir=.github \ | |
| --exclude="*.md"; then | |
| echo "⚠️ Found potential API key!" | |
| SECRETS_FOUND=1 | |
| fi | |
| if [ $SECRETS_FOUND -eq 0 ]; then | |
| echo "✅ No secrets detected" | |
| else | |
| echo "❌ Potential secrets found! Please review." | |
| exit 1 | |
| fi |