This repository was archived by the owner on Jul 6, 2025. It is now read-only.
Security Scanning #242
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| - cron: '0 0 * * *' # Daily at midnight | |
| workflow_dispatch: | |
| jobs: | |
| security-scan: | |
| name: Security Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # CodeQL Analysis | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python, javascript, rust | |
| queries: security-extended,security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:python /language:javascript /language:rust" | |
| # Dependency Review | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| if: github.event_name == 'pull_request' | |
| # Rust Security Audit | |
| - name: Run Rust Audit | |
| uses: actions-rs/audit-check@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # NPM Audit | |
| - name: Run npm audit | |
| run: | | |
| if [ -f package.json ]; then | |
| npm audit | |
| fi | |
| # Python dependency check | |
| - name: Run pip audit | |
| run: | | |
| if [ -f requirements.txt ]; then | |
| python -m pip install pip-audit | |
| pip-audit | |
| fi | |
| # SARIF upload | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: results.sarif |