-
Notifications
You must be signed in to change notification settings - Fork 0
126 lines (105 loc) · 3.91 KB
/
security-gate.yml
File metadata and controls
126 lines (105 loc) · 3.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Security Gate
# This workflow acts as a required check that aggregates all security scan results.
# Configure this as a required status check for branch protection.
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
security-lint:
name: Security Lint & Configuration Check
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check for hardcoded secrets in config files
run: |
echo "=== Scanning for potential hardcoded secrets ==="
FOUND=0
# Check appsettings files for non-empty passwords/keys
for file in $(find . -name "appsettings*.json" -not -path "*/bin/*" -not -path "*/obj/*"); do
echo "Checking $file..."
# Check for non-empty password fields
if grep -Pi '"(password|secret|apikey|api_key|token)":\s*"[^"]{8,}"' "$file"; then
echo "::error file=$file::Potential hardcoded secret found in $file"
FOUND=1
fi
# Check for connection strings with inline passwords
if grep -Pi 'Password=[^;]{6,}' "$file"; then
echo "::error file=$file::Potential hardcoded database password in $file"
FOUND=1
fi
done
if [ $FOUND -eq 1 ]; then
echo ""
echo "::error::Hardcoded secrets detected! Move secrets to environment variables or user-secrets."
exit 1
else
echo "No hardcoded secrets found."
fi
- name: Check .gitignore completeness
run: |
echo "=== Checking .gitignore ==="
MISSING=0
REQUIRED_PATTERNS=(
"appsettings.Production.json"
"*.pfx"
"*.key"
".env"
)
for pattern in "${REQUIRED_PATTERNS[@]}"; do
if ! grep -qF "$pattern" .gitignore; then
echo "::warning::Missing .gitignore entry: $pattern"
MISSING=1
fi
done
# Check for dangerous negation rules that expose secret files
if grep -q '!.*appsettings.*\.json' .gitignore; then
echo "::error::Dangerous .gitignore negation rule found that may expose config files with secrets"
exit 1
fi
if [ $MISSING -eq 1 ]; then
echo "::warning::Some recommended .gitignore patterns are missing"
else
echo ".gitignore looks good."
fi
- name: Verify SECURITY.md exists
run: |
if [ ! -f "SECURITY.md" ]; then
echo "::warning::SECURITY.md not found. Consider adding a security policy."
else
echo "SECURITY.md found."
fi
build-and-test:
name: Build Verification
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
dotnet-version: 8.0.x
- name: Cache NuGet packages
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
restore-keys: ${{ runner.os }}-nuget-
- name: Restore
run: dotnet restore CompanyManagementSystem.sln
- name: Build
run: dotnet build CompanyManagementSystem.sln --configuration Release --no-restore
- name: Run tests
run: |
dotnet test Tests/Tests.csproj \
--configuration Release \
--no-build \
--verbosity normal \
--logger "trx;LogFileName=test-results.trx"