security.yml

name: Security Monitoring

# Minimal permissions for security scanning
permissions:
  contents: read         # Read repository contents
  actions: read         # Read workflow details
  security-events: write # Write security scan results (for CodeQL if added)

on:
  schedule:
    # Run daily security scans at 2 AM UTC
    - cron: '0 2 * * *'
  workflow_dispatch:
    # Allow manual triggering
  push:
    branches: [ main ]
    paths:
      - 'package*.json'
      - '.github/workflows/security.yml'

jobs:
  security-audit:
    name: Comprehensive Security Audit
    runs-on: ubuntu-latest
    timeout-minutes: 20
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18.x'
        cache: 'npm'
        
    - name: Install dependencies
      run: npm ci
      
    - name: Run npm audit (detailed)
      run: |
        echo "🔍 Running detailed npm audit..."
        npm audit --audit-level=info || true
        npm audit --json > audit-results.json || true
        
    - name: Check for known vulnerabilities
      run: |
        echo "🛡️ Checking for known vulnerabilities..."
        
        # Check if any high/critical vulnerabilities exist
        if npm audit --audit-level=high --json | jq -e '.vulnerabilities | length > 0' > /dev/null 2>&1; then
          echo "❌ High/Critical vulnerabilities found!"
          npm audit --audit-level=high
          exit 1
        else
          echo "✅ No high/critical vulnerabilities found"
        fi

  license-compliance:
    name: License Compliance
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18.x'
        cache: 'npm'
        
    - name: Install dependencies
      run: npm ci
      
    - name: Install license checker
      run: npm install -g license-checker
      
    - name: Check licenses
      run: |
        echo "📜 Checking dependency licenses..."
        
        # Generate license report
        license-checker --summary --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause;BSD-2-Clause;ISC;0BSD;CC0-1.0' || true
        
        # Generate detailed license report
        license-checker --json > licenses.json
        
        echo "✅ License compliance check completed"
        
    - name: Upload secret detection results
      uses: actions/upload-artifact@v4
      with:
        name: secret-detection-report
        path: trufflehog-results.json
        retention-days: 90

  secrets-scan:
    name: Secrets Detection
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Run TruffleHog secrets scan
      uses: trufflesecurity/trufflehog@main
      with:
        path: ./
        extra_args: --debug --only-verified --no-update
      continue-on-error: true
        
    - name: Custom secrets patterns
      run: |
        echo "Scanning for government-specific sensitive patterns..."
        
        # Government-specific patterns
        patterns=(
          "-----BEGIN (RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----"
          "(aws_access_key_id|aws_secret_access_key)"
          "AKIA[0-9A-Z]{16}"
          "sk-[a-zA-Z0-9]{48}"
          "(?i)(bearer\s+[a-z0-9\-._~+/]+)"
          "(?i)(api[_-]?key|secret|password|token|credential)[\s]*[:=][\s]*['\"][^'\"]+['\"]"
        )
        
        found_issues=false
        
        for pattern in "${patterns[@]}"; do
          if grep -r -E "$pattern" --include="*.js" --include="*.ts" --include="*.json" --exclude-dir=node_modules --exclude-dir=.git . 2>/dev/null; then
            echo "Potential secret found matching pattern: $pattern"
            found_issues=true
          fi
        done
        
        if [ "$found_issues" = true ]; then
          echo "Potential secrets detected! Please review and remediate."
          exit 1
        else
          echo "No obvious secrets detected"
        fi

  dependency-graph:
    name: Dependency Analysis
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18.x'
        cache: 'npm'
        
    - name: Install dependencies
      run: npm ci
      
    - name: Generate dependency tree
      run: |
        echo "🌳 Generating dependency analysis..."
        
        # Create dependency tree
        npm list --all --json > dependency-tree.json || true
        
        # Check for outdated packages
        npm outdated --json > outdated-packages.json || true
        
        # Check for unused dependencies
        npx depcheck --json > unused-dependencies.json || true
        
        echo "📊 Dependency analysis completed"
        
    - name: Upload code quality reports
      uses: actions/upload-artifact@v4
      with:
        name: code-quality-report
        path: |
          eslint-results.json
          security-analysis.json
        retention-days: 90

  guarddog-scan:
    name: GuardDog Supply Chain Security
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.11'
        
    - name: Install GuardDog
      run: |
        pip install guarddog
        
    - name: Run GuardDog scan
      run: |
        echo "🐕 Running GuardDog supply chain security scan..."
        guarddog npm scan package.json --output-format json --output-file guarddog-results.json || true
        
    - name: Display GuardDog results
      if: always()
      run: |
        echo "📊 GuardDog Scan Results:"
        if [ -f guarddog-results.json ]; then
          cat guarddog-results.json | jq '.' || cat guarddog-results.json
        else
          echo "No results file generated"
        fi
        
    - name: Check for high-severity issues
      run: |
        echo "🔍 Checking for high-severity supply chain threats..."
        
        if [ -f guarddog-results.json ]; then
          # Check if any high/critical severity issues exist
          high_severity=$(cat guarddog-results.json | jq '[.[] | select(.severity == "high" or .severity == "critical")] | length' 2>/dev/null || echo "0")
          
          if [ "$high_severity" -gt 0 ]; then
            echo "❌ Found $high_severity high/critical severity supply chain issues!"
            echo "Review the scan results for details."
            exit 1
          else
            echo "✅ No high/critical severity issues detected"
          fi
        else
          echo "⚠️ No results to analyze"
        fi
        
    - name: Upload GuardDog results
      if: always()
      uses: actions/upload-artifact@v4
      with:
        name: guarddog-scan-results
        path: guarddog-results.json
        retention-days: 90

  government-security-review:
    name: Government Security Review
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: FedRAMP considerations check
      run: |
        echo "🏛️ Reviewing FedRAMP and government security considerations..."
        
        # Check for security documentation
        security_files=("SECURITY.md" "CONTRIBUTING.md" ".github/workflows/security.yml")
        
        for file in "${security_files[@]}"; do
          if [[ ! -f "$file" ]]; then
            echo "❌ Missing security file: $file"
            exit 1
          fi
        done
        
        # Check for proper .gitignore patterns
        required_patterns=("*.key" "*.pem" "*.p12" "credentials.json" ".env")
        
        for pattern in "${required_patterns[@]}"; do
          if ! grep -q "$pattern" .gitignore; then
            echo "⚠️ Consider adding '$pattern' to .gitignore for government security"
          fi
        done
        
        echo "✅ Basic government security patterns validated"
        
    - name: FISMA compliance indicators
      run: |
        echo "📋 Checking FISMA compliance indicators..."
        
        # Check for audit logging capabilities
        if grep -r -i "log\|audit" --include="*.js" --include="*.ts" src/ > /dev/null 2>&1; then
          echo "✅ Logging capabilities present"
        else
          echo "⚠️ Consider adding audit logging for FISMA compliance"
        fi
        
        # Check for encryption-related code
        if grep -r -i "encrypt\|tls\|ssl\|https" --include="*.js" --include="*.ts" src/ > /dev/null 2>&1; then
          echo "✅ Encryption-related code found"
        else
          echo "⚠️ Ensure proper encryption is implemented"
        fi
        
        echo "📊 FISMA compliance review completed"

  security-summary:
    name: Security Summary Report
    runs-on: ubuntu-latest
    needs: [security-audit, license-compliance, secrets-scan, dependency-graph, guarddog-scan, government-security-review]
    if: always()
    
    steps:
    - name: Generate security summary
      run: |
        echo "📋 SECURITY SUMMARY REPORT"
        echo "========================="
        echo ""
        echo "🏛️ Government Security Assessment for USAi API Node.js Client"
        echo ""
        echo "Jobs Status:"
        echo "- Security Audit: ${{ needs.security-audit.result }}"
        echo "- License Compliance: ${{ needs.license-compliance.result }}"
        echo "- Secrets Scan: ${{ needs.secrets-scan.result }}"
        echo "- Dependency Analysis: ${{ needs.dependency-graph.result }}"
        echo "- GuardDog Supply Chain Scan: ${{ needs.guarddog-scan.result }}"
        echo "- Government Security Review: ${{ needs.government-security-review.result }}"
        echo ""
        
        if [[ "${{ needs.security-audit.result }}" == "failure" ]] || 
           [[ "${{ needs.suarddog-scan.result }}" == "failure" ]] || 
           [[ "${{ needs.gecrets-scan.result }}" == "failure" ]] || 
           [[ "${{ needs.government-security-review.result }}" == "failure" ]]; then
          echo "🚨 SECURITY ISSUES DETECTED"
          echo "Government agencies should review failed checks before use"
          echo ""
          echo "Recommended Actions:"
          echo "1. Review failed security checks"
          echo "2. Remediate any discovered vulnerabilities"
          echo "3. Update dependencies if needed"
          echo "4. Conduct additional security review"
          echo "5. Follow agency-specific security protocols"
        else
          echo "✅ SECURITY CHECKS PASSED"
          echo "Library appears to meet basic security requirements"
          echo ""
          echo "Government agencies should still:"
          echo "1. Conduct agency-specific security review"
          echo "2. Test with organization's security tools"
          echo "3. Follow internal approval processes"
          echo "4. Monitor for security updates"
        fi