5
5
branches : [ main ]
6
6
pull_request :
7
7
branches : [ main ]
8
-
9
- env :
10
- REGISTRY : ghcr.io
11
- IMAGE_NAME : thirdkeyai/symbi
8
+ schedule :
9
+ # Run daily at 2 AM UTC to catch new vulnerabilities
10
+ - cron : ' 0 2 * * *'
12
11
13
12
jobs :
14
- security-check :
13
+ security-audit :
14
+ name : Security Audit
15
15
runs-on : ubuntu-latest
16
16
permissions :
17
17
contents : read
18
- packages : read
18
+ security-events : write
19
19
20
20
steps :
21
21
- name : Checkout repository
22
22
uses : actions/checkout@v4
23
23
24
- - name : Log in to Container Registry
25
- uses : docker/login-action@v3
24
+ - name : Install Rust toolchain
25
+ uses : dtolnay/rust-toolchain@stable
26
26
with :
27
- registry : ${{ env.REGISTRY }}
28
- username : ${{ github.actor }}
29
- password : ${{ secrets.GITHUB_TOKEN }}
27
+ components : clippy
30
28
31
- - name : Extract metadata
32
- id : meta
33
- uses : docker/metadata-action@v5
29
+ - name : Cache Rust dependencies
30
+ uses : actions/cache@v4
34
31
with :
35
- images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
36
- tags : |
37
- type=ref,event=branch
38
- type=ref,event=pr
39
- type=sha,prefix={{branch}}-
32
+ path : |
33
+ ~/.cargo/bin/
34
+ ~/.cargo/registry/index/
35
+ ~/.cargo/registry/cache/
36
+ ~/.cargo/git/db/
37
+ target/
38
+ key : ${{ runner.os }}-cargo-security-${{ hashFiles('**/Cargo.lock') }}
39
+ restore-keys : |
40
+ ${{ runner.os }}-cargo-security-
41
+ ${{ runner.os }}-cargo-
42
+
43
+ - name : Install cargo-audit
44
+ run : cargo install --force cargo-audit
45
+
46
+ - name : Run cargo audit
47
+ run : cargo audit --color=always
48
+ continue-on-error : false
49
+
50
+ - name : Run cargo clippy (security lints)
51
+ run : |
52
+ cargo clippy --all-targets --all-features -- \
53
+ -W clippy::suspicious \
54
+ -W clippy::complexity \
55
+ -W clippy::perf \
56
+ -W clippy::cargo \
57
+ -D warnings
58
+ continue-on-error : false
40
59
41
- - name : Run security check
60
+ - name : Check for secret leaks
42
61
run : |
43
- # Get the current commit SHA
44
- COMMIT_SHA=$(git rev-parse HEAD)
45
-
46
- # Try to pull and run the image with version check
47
- if docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} 2>/dev/null; then
48
- echo "Found existing image for commit ${COMMIT_SHA}"
49
- docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} --version
62
+ echo "Checking for potential secret leaks..."
63
+ # Check for common secret patterns
64
+ if grep -r --include="*.rs" --include="*.toml" --include="*.yml" --include="*.yaml" \
65
+ -E "(password|secret|key|token).*=.*['\"][^'\"]{10,}['\"]" .; then
66
+ echo "❌ Potential secrets found in code!"
67
+ exit 1
50
68
else
51
- echo "Image not found for commit ${COMMIT_SHA}, building locally..."
52
- docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} .
53
- docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${COMMIT_SHA} --version
54
- fi
69
+ echo "✅ No obvious secrets found in code"
70
+ fi
71
+
72
+ - name : Validate environment variable usage
73
+ run : |
74
+ echo "Checking for direct environment variable access..."
75
+ # Flag direct env::var usage that should use configuration management
76
+ if grep -r --include="*.rs" "std::env::var\|env::var" . | grep -v "test\|example"; then
77
+ echo "⚠️ Direct environment variable access found - consider using configuration management"
78
+ else
79
+ echo "✅ No direct environment variable access found"
80
+ fi
81
+
82
+ dependency-check :
83
+ name : Dependency Vulnerability Check
84
+ runs-on : ubuntu-latest
85
+ permissions :
86
+ contents : read
87
+ security-events : write
88
+
89
+ steps :
90
+ - name : Checkout repository
91
+ uses : actions/checkout@v4
92
+
93
+ - name : Install Rust toolchain
94
+ uses : dtolnay/rust-toolchain@stable
95
+
96
+ - name : Run cargo deny
97
+ uses : EmbarkStudios/cargo-deny-action@v1
98
+ with :
99
+ log-level : warn
100
+ command : check
101
+ arguments : --all-features
102
+ command-arguments : --show-stats
103
+ manifest-path : ./Cargo.toml
0 commit comments