fix: removed unused method #98
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| pull_request: | |
| merge_group: | |
| branches: | |
| - main | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| name: Security Scanning | |
| env: | |
| GITLEAKS_VERSION: "8.28.0" # pin gitleaks version | |
| GITLEAKS_CONFIG: ".gitleaks.toml" # config picked up automatically by gitleaks | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS Secret Scanning | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| # Scan the entire repository | |
| path: ./ | |
| # Only show verified secrets and unknown (high confidence) | |
| extra_args: --results=verified,unknown | |
| - name: Setup Python for detect-secrets | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - name: Install detect-secrets | |
| run: | | |
| pip install detect-secrets | |
| - name: Run detect-secrets scan | |
| run: | | |
| # Check if baseline exists | |
| if [ -f .secrets.baseline ]; then | |
| echo "Running detect-secrets against baseline..." | |
| detect-secrets scan --baseline .secrets.baseline | |
| else | |
| echo "No baseline found, creating one..." | |
| detect-secrets scan --baseline .secrets.baseline --force-use-all-plugins || echo "Baseline created" | |
| # Fail if new secrets found (baseline should be committed) | |
| if [ -s .secrets.baseline ]; then | |
| echo "❌ New secrets detected! Please review and commit updated baseline." | |
| exit 1 | |
| fi | |
| fi | |
| - name: Custom Secret Patterns Check | |
| run: | | |
| echo "🔍 Checking for additional secret patterns..." | |
| # Check for AWS keys | |
| if grep -r -E "AKIA[0-9A-Z]{16}" . --exclude-dir=.git --exclude-dir=node_modules || \ | |
| grep -r -E "[0-9a-zA-Z/+]{40}" . --exclude-dir=.git --exclude-dir=node_modules --include="*.env*"; then | |
| echo "❌ AWS credentials found!" | |
| exit 1 | |
| fi | |
| # Check for JWT tokens in code (not test files) | |
| if find . -name "*.js" -o -name "*.ts" -o -name "*.py" -o -name "*.go" -o -name "*.rs" \ | |
| | grep -v test | grep -v spec | xargs grep -l "eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" 2>/dev/null; then | |
| echo "❌ JWT tokens found in source code!" | |
| exit 1 | |
| fi | |
| # Check .env files that might be accidentally committed | |
| if find . -name "*.env" -not -name "*.env.example" -not -name "*.env.sample" -not -name "*.env.template" \ | |
| | grep -v node_modules | head -1 | grep -q .; then | |
| echo "❌ .env files found in repository!" | |
| echo "These files should be in .gitignore:" | |
| find . -name "*.env" -not -name "*.env.example" -not -name "*.env.sample" -not -name "*.env.template" | grep -v node_modules | |
| exit 1 | |
| fi | |
| echo "✅ Custom secret checks passed!" | |
| # ---- Gitleaks CLI pinned to 8.28.0 (no SARIF) ---- | |
| - name: Download Gitleaks v8.28.0 (linux_x64) + verify checksum | |
| run: | | |
| set -euo pipefail | |
| TAR="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | |
| BASE="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}" | |
| echo "Downloading $TAR..." | |
| curl -sSL "${BASE}/${TAR}" -o gitleaks.tar.gz | |
| curl -sSL "${BASE}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" -o checksums.txt | |
| EXPECTED=$(grep "$TAR" checksums.txt | awk '{print $1}') | |
| ACTUAL=$(sha256sum gitleaks.tar.gz | awk '{print $1}') | |
| [ "$EXPECTED" = "$ACTUAL" ] || { echo "Checksum mismatch!"; exit 1; } | |
| tar -xzf gitleaks.tar.gz gitleaks | |
| chmod +x gitleaks | |
| ./gitleaks version | |
| # PRs: stage only changed files and scan staged diff (blocks on new leaks) | |
| - name: Run Gitleaks on staged PR changes (blocking; NUL-safe) | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| set -euo pipefail | |
| # Ensure the base branch is available locally | |
| git fetch --no-tags --prune --depth=1 origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }} | |
| # Get changed files as NUL-delimited list (handles spaces/special chars) | |
| git diff -z --name-only origin/${{ github.base_ref }}..HEAD > /tmp/changed_files.txt | |
| if [ -s /tmp/changed_files.txt ]; then | |
| echo "Staging changed files for secret scan..." | |
| git add --pathspec-from-file=/tmp/changed_files.txt --pathspec-file-nul | |
| # Run gitleaks only on staged changes | |
| ./gitleaks protect --staged --no-banner --redact | |
| echo "Unstaging files..." | |
| git reset --pathspec-from-file=/tmp/changed_files.txt --pathspec-file-nul | |
| else | |
| echo "No changed files; skipping." | |
| fi | |
| # Non-PR runs (e.g., merge_group/push): full scan, do not fail the job | |
| - name: Run Gitleaks full scan (non-blocking) | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: | | |
| ./gitleaks detect \ | |
| --source . \ | |
| --no-banner \ | |
| --redact || true | |
| # Optional: Add Semgrep for additional security analysis | |
| semgrep: | |
| runs-on: ubuntu-latest | |
| name: Semgrep Security Analysis | |
| if: github.actor != 'dependabot[bot]' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Semgrep | |
| uses: returntocorp/semgrep-action@v1 | |
| with: | |
| # Run security-focused rules | |
| config: >- | |
| p/security-audit | |
| p/secrets | |
| p/owasp-top-ten | |
| env: | |
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | |
| # If you don't have Semgrep token, it will run in offline mode |