Skip to content

Commit dd7a321

Browse files
author
Symbiont OSS Sync
committed
bump for v0.3.1
1 parent 91c88a3 commit dd7a321

File tree

10 files changed

+672
-430
lines changed

10 files changed

+672
-430
lines changed

.github/workflows/security-check.yml

Lines changed: 80 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -5,50 +5,99 @@ on:
55
branches: [ main ]
66
pull_request:
77
branches: [ main ]
8-
9-
env:
10-
REGISTRY: ghcr.io
11-
IMAGE_NAME: thirdkeyai/symbi
8+
schedule:
9+
# Run daily at 2 AM UTC to catch new vulnerabilities
10+
- cron: '0 2 * * *'
1211

1312
jobs:
14-
security-check:
13+
security-audit:
14+
name: Security Audit
1515
runs-on: ubuntu-latest
1616
permissions:
1717
contents: read
18-
packages: read
18+
security-events: write
1919

2020
steps:
2121
- name: Checkout repository
2222
uses: actions/checkout@v4
2323

24-
- name: Log in to Container Registry
25-
uses: docker/login-action@v3
24+
- name: Install Rust toolchain
25+
uses: dtolnay/rust-toolchain@stable
2626
with:
27-
registry: ${{ env.REGISTRY }}
28-
username: ${{ github.actor }}
29-
password: ${{ secrets.GITHUB_TOKEN }}
27+
components: clippy
3028

31-
- name: Extract metadata
32-
id: meta
33-
uses: docker/metadata-action@v5
29+
- name: Cache Rust dependencies
30+
uses: actions/cache@v4
3431
with:
35-
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
36-
tags: |
37-
type=ref,event=branch
38-
type=ref,event=pr
39-
type=sha,prefix={{branch}}-
32+
path: |
33+
~/.cargo/bin/
34+
~/.cargo/registry/index/
35+
~/.cargo/registry/cache/
36+
~/.cargo/git/db/
37+
target/
38+
key: ${{ runner.os }}-cargo-security-${{ hashFiles('**/Cargo.lock') }}
39+
restore-keys: |
40+
${{ runner.os }}-cargo-security-
41+
${{ runner.os }}-cargo-
42+
43+
- name: Install cargo-audit
44+
run: cargo install --force cargo-audit
45+
46+
- name: Run cargo audit
47+
run: cargo audit --color=always
48+
continue-on-error: false
49+
50+
- name: Run cargo clippy (security lints)
51+
run: |
52+
cargo clippy --all-targets --all-features -- \
53+
-W clippy::suspicious \
54+
-W clippy::complexity \
55+
-W clippy::perf \
56+
-W clippy::cargo \
57+
-D warnings
58+
continue-on-error: false
4059

41-
- name: Run security check
60+
- name: Check for secret leaks
4261
run: |
43-
# Get the current commit SHA
44-
COMMIT_SHA=$(git rev-parse HEAD)
45-
46-
# Try to pull and run the image with version check
47-
if docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} 2>/dev/null; then
48-
echo "Found existing image for commit ${COMMIT_SHA}"
49-
docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} --version
62+
echo "Checking for potential secret leaks..."
63+
# Check for common secret patterns
64+
if grep -r --include="*.rs" --include="*.toml" --include="*.yml" --include="*.yaml" \
65+
-E "(password|secret|key|token).*=.*['\"][^'\"]{10,}['\"]" .; then
66+
echo "❌ Potential secrets found in code!"
67+
exit 1
5068
else
51-
echo "Image not found for commit ${COMMIT_SHA}, building locally..."
52-
docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} .
53-
docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} --version
54-
fi
69+
echo "✅ No obvious secrets found in code"
70+
fi
71+
72+
- name: Validate environment variable usage
73+
run: |
74+
echo "Checking for direct environment variable access..."
75+
# Flag direct env::var usage that should use configuration management
76+
if grep -r --include="*.rs" "std::env::var\|env::var" . | grep -v "test\|example"; then
77+
echo "⚠️ Direct environment variable access found - consider using configuration management"
78+
else
79+
echo "✅ No direct environment variable access found"
80+
fi
81+
82+
dependency-check:
83+
name: Dependency Vulnerability Check
84+
runs-on: ubuntu-latest
85+
permissions:
86+
contents: read
87+
security-events: write
88+
89+
steps:
90+
- name: Checkout repository
91+
uses: actions/checkout@v4
92+
93+
- name: Install Rust toolchain
94+
uses: dtolnay/rust-toolchain@stable
95+
96+
- name: Run cargo deny
97+
uses: EmbarkStudios/cargo-deny-action@v1
98+
with:
99+
log-level: warn
100+
command: check
101+
arguments: --all-features
102+
command-arguments: --show-stats
103+
manifest-path: ./Cargo.toml

0 commit comments

Comments
 (0)