feat: add logic for audit logging implementation per ticket #499 #196
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Security Check - Go Vulnerabilities Scan | |
| on: | |
| pull_request: | |
| paths: | |
| - "backend/**" | |
| - "backend/go.mod" | |
| - "backend/go.sum" | |
| - "provider-middleware/**" | |
| - "provider-middleware/go.mod" | |
| - "provider-middleware/go.sum" | |
| - ".github/workflows/security-go.yml" | |
| permissions: | |
| contents: read | |
| actions: read | |
| jobs: | |
| govulncheck: | |
| name: Scan Go Dependencies for Vulnerabilities | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.25.4" | |
| cache: true | |
| cache-dependency-path: | | |
| backend/go.mod | |
| provider-middleware/go.mod | |
| - name: Install govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| echo "$(go env GOPATH)/bin" >> $GITHUB_PATH | |
| - name: Run vulnerability scan | |
| id: vuln-scan | |
| timeout-minutes: 5 | |
| run: | | |
| echo "Running govulncheck on both Go modules..." | |
| backend_vuln=false | |
| middleware_vuln=false | |
| echo "Scanning backend module..." | |
| cd backend | |
| if govulncheck ./... > ../backend_vuln_output.txt 2>&1; then | |
| echo "No vulnerabilities found in backend" | |
| else | |
| backend_vuln=true | |
| echo "Vulnerabilities found in backend" | |
| fi | |
| cd .. | |
| echo "Scanning provider-middleware module..." | |
| cd provider-middleware | |
| if govulncheck ./... > ../middleware_vuln_output.txt 2>&1; then | |
| echo "No vulnerabilities found in provider-middleware" | |
| else | |
| middleware_vuln=true | |
| echo "Vulnerabilities found in provider-middleware" | |
| fi | |
| cd .. | |
| if [ "$backend_vuln" = true ] || [ "$middleware_vuln" = true ]; then | |
| echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT | |
| echo "Security vulnerabilities detected - this PR cannot be merged" | |
| exit 1 | |
| else | |
| echo "vulnerabilities_found=false" >> $GITHUB_OUTPUT | |
| echo "No vulnerabilities found in any Go modules" | |
| fi | |
| - name: Send Slack notification | |
| if: failure() && steps.vuln-scan.outputs.vulnerabilities_found == 'true' | |
| run: | | |
| # Collect vulnerability output from both modules | |
| BACKEND_VULN=$(cat backend_vuln_output.txt 2>/dev/null || echo "No backend vulnerabilities output") | |
| MIDDLEWARE_VULN=$(cat middleware_vuln_output.txt 2>/dev/null || echo "No provider-middleware vulnerabilities output") | |
| VULN_OUTPUT=$(printf "=== BACKEND VULNERABILITIES ===\n%s\n\n=== PROVIDER-MIDDLEWARE VULNERABILITIES ===\n%s" "$BACKEND_VULN" "$MIDDLEWARE_VULN") | |
| VULN_ESCAPED=$(echo "$VULN_OUTPUT" | sed 's/\\/\\\\/g; s/"/\\"/g; s/$/\\n/' | tr -d '\n' | head -c 2000) | |
| if [ ${#VULN_OUTPUT} -gt 2000 ]; then | |
| VULN_ESCAPED="$VULN_ESCAPED... (truncated, see full output in workflow logs)" | |
| fi | |
| SLACK_MESSAGE=$(cat <<EOF | |
| 🚨 *SECURITY VULNERABILITIES DETECTED* 🚨 | |
| Repository: ${{ github.repository }} | |
| PR: #${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }} | |
| Author: ${{ github.event.pull_request.user.login }} | |
| Branch: ${{ github.event.pull_request.head.ref }} | |
| This PR contains Go security vulnerabilities and has been blocked from merging until fixed. | |
| *Vulnerability Details:* | |
| $VULN_ESCAPED | |
| 🔧 *Actions needed:* | |
| 1. Update affected dependencies: \`go get -u <package>@<safe-version>\` | |
| 2. Push updates to the PR | |
| *PR Link:* ${{ github.event.pull_request.html_url }} | |
| EOF | |
| ) | |
| if ! curl -X POST -H 'Content-type: application/json' \ | |
| --max-time 10 \ | |
| --silent \ | |
| --fail \ | |
| --data "{\"channel\":\"#unlockedv2-alerts\",\"username\":\"Security Bot\",\"icon_emoji\":\":warning:\",\"text\":\"$SLACK_MESSAGE\"}" \ | |
| "${{ secrets.SLACK_WEBHOOK_URL }}"; then | |
| echo "Warning: Failed to send Slack notification" | |
| else | |
| echo "Slack notification sent successfully to #unlockedv2-alerts" | |
| fi | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| - name: Security check summary | |
| if: always() | |
| run: | | |
| if [ "${{ steps.vuln-scan.outputs.vulnerabilities_found }}" == 'true' ]; then | |
| echo "" | |
| echo "SECURITY CHECK FAILED" | |
| echo "This PR CANNOT be merged due to security vulnerabilities." | |
| echo "" | |
| echo "To fix these vulnerabilities:" | |
| echo " For backend module:" | |
| echo " 1. cd backend" | |
| echo " 2. go get -u <package>@<safe-version>" | |
| echo " 3. Push updates to your PR" | |
| echo "" | |
| echo " For provider-middleware module:" | |
| echo " 1. cd provider-middleware" | |
| echo " 2. go get -u <package>@<safe-version>" | |
| echo " 3. Push updates to your PR" | |
| echo "" | |
| echo "Slack notification sent to #unlockedv2-alerts" | |
| echo "" | |
| else | |
| echo "SECURITY CHECK PASSED - No vulnerabilities found in any Go modules" | |
| fi |