feat(crg): add crg-grade and crg-badge justfile recipes #71
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: PMPL-1.0-or-later | |
| name: Svalin Static Analysis | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly on Sunday | |
| permissions: | |
| contents: read | |
| jobs: | |
| svalin-analysis: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | |
| - name: Setup Deno | |
| uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2 | |
| with: | |
| deno-version: v2.x | |
| - name: Run Svalin static analysis | |
| run: | | |
| # TODO: Install svalin when available | |
| # For now, use built-in tools | |
| echo "Static analysis placeholder" | |
| # Check for common security issues | |
| echo "::group::Security Pattern Check" | |
| # Check for eval usage | |
| if grep -r "eval(" extension/ --include="*.js"; then | |
| echo "::warning::Found eval() usage - potential security risk" | |
| fi | |
| # Check for innerHTML with variables | |
| if grep -r "innerHTML.*=.*\${" extension/ --include="*.js"; then | |
| echo "::warning::Found innerHTML with template literals - XSS risk" | |
| fi | |
| # Check for hardcoded secrets patterns | |
| if grep -rE "(password|secret|token|api[_-]?key)\s*=\s*['\"][^'\"]{8,}" extension/ --include="*.js"; then | |
| echo "::error::Potential hardcoded secrets found" | |
| exit 1 | |
| fi | |
| echo "::endgroup::" | |
| - name: Verify SPDX headers | |
| run: | | |
| echo "::group::SPDX Header Check" | |
| missing_headers=0 | |
| for file in $(find extension -name "*.js" -o -name "*.res" -o -name "*.html" -o -name "*.css"); do | |
| if ! head -5 "$file" | grep -q "SPDX-License-Identifier"; then | |
| echo "::warning::Missing SPDX header in $file" | |
| ((missing_headers++)) | |
| fi | |
| done | |
| if [ $missing_headers -gt 0 ]; then | |
| echo "::error::$missing_headers files missing SPDX headers" | |
| exit 1 | |
| fi | |
| echo "::endgroup::" | |
| - name: Check CSP compliance | |
| run: | | |
| echo "::group::CSP Validation" | |
| # Verify manifest CSP | |
| if ! grep -q "content_security_policy" extension/manifest.json; then | |
| echo "::error::Missing CSP in manifest.json" | |
| exit 1 | |
| fi | |
| # Check for inline scripts (should use CSP nonce) | |
| if grep -r "<script>" extension/ --include="*.html"; then | |
| echo "::warning::Found inline scripts - should use external files for CSP compliance" | |
| fi | |
| echo "::endgroup::" | |
| - name: Dependency audit | |
| run: | | |
| echo "::group::Dependency Security Audit" | |
| # Check for vulnerable patterns in dependencies | |
| if [ -f "package.json" ]; then | |
| echo "::error::Found package.json - should use Deno imports only" | |
| exit 1 | |
| fi | |
| if [ -f "package-lock.json" ] || [ -f "yarn.lock" ] || [ -f "pnpm-lock.yaml" ]; then | |
| echo "::error::Found npm/yarn/pnpm lockfiles - not allowed per RSR policy" | |
| exit 1 | |
| fi | |
| echo "::endgroup::" | |
| - name: Generate SARIF report | |
| if: always() | |
| run: | | |
| cat > svalin-results.sarif << 'EOF' | |
| { | |
| "version": "2.1.0", | |
| "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", | |
| "runs": [{ | |
| "tool": { | |
| "driver": { | |
| "name": "Svalin", | |
| "version": "0.1.0", | |
| "informationUri": "https://github.com/hyperpolymath/svalin" | |
| } | |
| }, | |
| "results": [] | |
| }] | |
| } | |
| EOF | |
| - name: Upload SARIF results | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v3 | |
| with: | |
| sarif_file: svalin-results.sarif | |
| category: svalin |