Security Validation #1377
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # security.yml - Consolidated security scanning | |
| # Last Updated: 2026-02-22 | |
| name: Security Validation | |
| on: | |
| pull_request: | |
| branches: [main, develop] | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: "0 2 * * 0" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| security-audit: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 35 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go environment | |
| uses: ./.github/actions/setup-go-env | |
| - name: Validate CI policy | |
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | |
| - name: CI preflight | |
| run: scripts/ci/preflight.sh | |
| - name: Install security tools | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 | |
| go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| - name: Run gosec (emit JSON for allowlist gate) | |
| continue-on-error: true | |
| run: | | |
| mkdir -p outputs/ci/security-audit | |
| GOSEC_BIN="$(go env GOPATH)/bin/gosec" | |
| "${GOSEC_BIN}" -fmt=json -severity=medium -confidence=medium ./... > outputs/ci/security-audit/gosec.json | |
| - name: Run govulncheck | |
| run: govulncheck ./... | |
| - name: Run custom security checks | |
| env: | |
| CI_SECURITY_DIR: outputs/ci/security-audit | |
| CI_SECURITY_ALLOWLIST_FILE: test/ci/security-allowlist.yaml | |
| run: scripts/ci/security-checks.sh | |
| - name: Summarize security lane | |
| if: always() | |
| env: | |
| CI_LANE: security-audit | |
| CI_STATUS: ${{ job.status }} | |
| CI_LOG_DIR: outputs/ci/security-audit | |
| CI_COVERAGE_FILE: "-" | |
| CI_REPORT_FILE: outputs/ci/security-audit/report.json | |
| CI_SUMMARY_FILE: outputs/ci/security-audit/summary.md | |
| run: scripts/ci/summary.sh | |
| - name: Bundle security artifacts | |
| if: always() | |
| run: | | |
| tar -czf outputs/ci/security-audit-artifacts.tgz -C outputs/ci security-audit || true | |
| ls -lh outputs/ci/security-audit-artifacts.tgz || true | |
| - name: Print security report | |
| if: always() | |
| run: | | |
| test -f outputs/ci/security-audit/report.json && cat outputs/ci/security-audit/report.json || true | |
| test -f outputs/ci/security-audit/gosec.json && head -200 outputs/ci/security-audit/gosec.json || true | |
| secret-scanning: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| run: | | |
| GITLEAKS_VERSION="8.24.3" | |
| GITLEAKS_SHA256="9991e0b2903da4c8f6122b5c3186448b927a5da4deef1fe45271c3793f4ee29c" | |
| ARCHIVE="/tmp/gitleaks.tar.gz" | |
| curl -sSfL -o "${ARCHIVE}" \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | |
| echo "${GITLEAKS_SHA256} ${ARCHIVE}" | sha256sum -c - | |
| sudo tar -xzf "${ARCHIVE}" -C /usr/local/bin gitleaks | |
| rm -f "${ARCHIVE}" | |
| - name: Run gitleaks (PR diff only) | |
| if: github.event_name == 'pull_request' | |
| run: gitleaks detect --source=. --redact --log-opts="origin/${{ github.base_ref }}..HEAD" | |
| - name: Run gitleaks (full scan on push/schedule) | |
| if: github.event_name != 'pull_request' | |
| run: gitleaks detect --source=. --redact --no-git |