Security Validation #1298
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Validation | |
| on: | |
| pull_request: | |
| branches: [main, develop] | |
| push: | |
| branches: [main] | |
| schedule: | |
| # Run weekly security scan (Sundays at 2 AM UTC) | |
| - cron: '0 2 * * 0' | |
| jobs: | |
| security-audit: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.3' | |
| cache: true | |
| - name: Install security tools | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| echo "✓ Security tools installed" | |
| - name: Run gosec | |
| run: | | |
| echo "🔍 Running gosec security scanner..." | |
| gosec -fmt=sarif -out=gosec-results.sarif -severity=medium -confidence=medium ./... | |
| continue-on-error: true | |
| - name: Run govulncheck | |
| run: | | |
| echo "🔍 Scanning for known vulnerabilities..." | |
| govulncheck ./... | |
| - name: Custom Security Checks | |
| run: | | |
| echo "🔍 Running custom security checks..." | |
| ERRORS=0 | |
| echo " ├─ Checking VAULT_SKIP_VERIFY..." | |
| if grep -r "VAULT_SKIP_VERIFY.*1" --include="*.go" --exclude-dir=vendor . | grep -v "handleTLSValidationFailure\|Eos_ALLOW_INSECURE_VAULT\|# P0-2"; then | |
| echo " │ ❌ VAULT_SKIP_VERIFY found" | |
| ERRORS=$((ERRORS + 1)) | |
| else | |
| echo " │ ✓ PASS" | |
| fi | |
| echo " ├─ Checking InsecureSkipVerify..." | |
| if grep -r "InsecureSkipVerify.*true" --include="*.go" --exclude="*_test.go" --exclude-dir=vendor . | grep -v "TestConfig"; then | |
| echo " │ ❌ InsecureSkipVerify found" | |
| ERRORS=$((ERRORS + 1)) | |
| else | |
| echo " │ ✓ PASS" | |
| fi | |
| echo " ├─ Checking VAULT_TOKEN env var..." | |
| if grep -r 'fmt\.Sprintf.*VAULT_TOKEN.*%s' --include="*.go" --exclude-dir=vendor . | grep -v "VAULT_TOKEN_FILE\|# P0-1"; then | |
| echo " │ ❌ VAULT_TOKEN env var found" | |
| ERRORS=$((ERRORS + 1)) | |
| else | |
| echo " │ ✓ PASS" | |
| fi | |
| echo " └─ Custom checks complete" | |
| if [ $ERRORS -gt 0 ]; then | |
| echo "❌ Security validation FAILED" | |
| exit 1 | |
| fi | |
| echo "✓ All checks passed" | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: gosec-results.sarif | |
| secret-scanning: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD |