docs: SchemaStore PR merged β drop staging dir, point $schema at canoβ¦ #783
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: π Security Analysis | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| schedule: | |
| # Run security scan every day at 6:00 AM UTC | |
| - cron: "0 6 * * *" | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| issues: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| GO_VERSION: "1.26.1" | |
| jobs: | |
| # =================================== | |
| # Static Analysis Security Testing | |
| # =================================== | |
| sast: | |
| name: π Static Analysis | |
| uses: ./.github/workflows/_reusable-security-scan.yml | |
| with: | |
| go-version: "1.26.1" | |
| upload-sarif: true | |
| run-vulncheck: false | |
| # =================================== | |
| # Vulnerability Scanning | |
| # =================================== | |
| vulnerability-scan: | |
| name: π‘οΈ Vulnerability Scan | |
| uses: ./.github/workflows/_reusable-security-scan.yml | |
| with: | |
| go-version: "1.26.1" | |
| upload-sarif: false | |
| run-vulncheck: true | |
| # =================================== | |
| # License Compliance Check | |
| # =================================== | |
| license-check: | |
| name: π License Compliance | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: π Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: πΉ Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: π₯ Download dependencies | |
| run: go mod download | |
| - name: π Install go-licenses | |
| run: go install github.com/google/go-licenses@latest | |
| - name: π Check license compliance | |
| id: license-check | |
| run: | | |
| echo "π Checking license compliance..." | |
| # Create licenses directory | |
| mkdir -p licenses | |
| # Generate license report | |
| { | |
| echo "## π License Compliance Report" | |
| echo "" | |
| echo "**Generated:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" | |
| echo "" | |
| } > licenses/report.md | |
| # Check for forbidden licenses (variable defined for future use) | |
| # FORBIDDEN_LICENSES="GPL-2.0,GPL-3.0,AGPL-1.0,AGPL-3.0" | |
| if go-licenses check ./...; then | |
| echo "result=compliant" >> "$GITHUB_OUTPUT" | |
| { | |
| echo "### β License Compliance" | |
| echo "All dependencies use compatible licenses." | |
| } >> licenses/report.md | |
| else | |
| echo "result=issues_found" >> "$GITHUB_OUTPUT" | |
| { | |
| echo "### β οΈ License Issues Found" | |
| echo "Some dependencies may have licensing issues. Review required." | |
| } >> licenses/report.md | |
| fi | |
| { | |
| echo "" | |
| echo "### π Dependency Licenses" | |
| echo "" | |
| } >> licenses/report.md | |
| # List all licenses | |
| go-licenses report ./... >> licenses/report.md 2>/dev/null || echo "Unable to generate detailed license report" >> licenses/report.md | |
| - name: π€ Upload license compliance results | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: license-compliance-results | |
| path: licenses/ | |
| retention-days: 30 | |
| # =================================== | |
| # Secrets Detection | |
| # =================================== | |
| secrets-detection: | |
| name: π Secrets Detection | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: π Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: π Run TruffleHog secrets detection | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| base: main | |
| path: ./ | |
| extra_args: --results=verified,unknown | |
| # =================================== | |
| # Container Security Scanning | |
| # =================================== | |
| container-security: | |
| name: π³ Container Security | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| strategy: | |
| matrix: | |
| os: [alpine, ubuntu-jammy] | |
| steps: | |
| - name: π Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: π³ Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: π¨ Build container image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: build/deploy/${{ matrix.os }}/Dockerfile | |
| tags: yap-${{ matrix.os }}:security-scan | |
| load: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # =================================== | |
| # Security Summary Report | |
| # =================================== | |
| security-summary: | |
| name: π Security Summary | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| needs: [sast, vulnerability-scan, license-check, secrets-detection] | |
| if: always() | |
| steps: | |
| - name: π₯ Download security artifacts | |
| uses: actions/download-artifact@v8 | |
| with: | |
| pattern: "*-results" | |
| merge-multiple: true | |
| - name: π Generate security summary | |
| run: | | |
| { | |
| echo "## π Security Analysis Summary" | |
| echo "" | |
| echo "**Analysis Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" | |
| echo "**Trigger:** ${{ github.event_name }}" | |
| echo "" | |
| echo "### π Security Checks" | |
| echo "| Check | Status | Details |" | |
| echo "|-------|--------|---------|" | |
| echo "| π Static Analysis | ${{ needs.sast.result }} | Gosec security scanner |" | |
| echo "| π‘οΈ Vulnerability Scan | ${{ needs.vulnerability-scan.result }} | Go vulnerability database |" | |
| echo "| π License Compliance | ${{ needs.license-check.result }} | Dependency license check |" | |
| echo "| π Secrets Detection | ${{ needs.secrets-detection.result }} | TruffleHog scan |" | |
| echo "" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| # Overall security status | |
| if [[ "${{ needs.sast.result }}" == "success" && \ | |
| "${{ needs.vulnerability-scan.result }}" == "success" && \ | |
| "${{ needs.license-check.result }}" == "success" && \ | |
| "${{ needs.secrets-detection.result }}" == "success" ]]; then | |
| { | |
| echo "### β Overall Security Status: PASS" | |
| echo "All security checks completed successfully." | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| else | |
| { | |
| echo "### β οΈ Overall Security Status: REVIEW REQUIRED" | |
| echo "Some security checks require attention. Please review the failed checks above." | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| { | |
| echo "" | |
| echo "### π Security Resources" | |
| echo "- [Security Policy](https://github.com/${{ github.repository }}/security/policy)" | |
| echo "- [Security Advisories](https://github.com/${{ github.repository }}/security/advisories)" | |
| echo "- [Dependency Graph](https://github.com/${{ github.repository }}/network/dependencies)" | |
| echo "- [Go Vulnerability Database](https://vuln.go.dev/)" | |
| } >> "$GITHUB_STEP_SUMMARY" |