fix: add govern.json with network enabled for Unix socket IPC #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly on Sunday | |
| jobs: | |
| security-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Check for secrets in code | |
| run: | | |
| echo "🔍 Scanning for hardcoded secrets..." | |
| if grep -r "password\s*=\|api[_-]key\s*=\|secret\s*=" --include="*.naab" --include="*.go" --include="*.rs" . ; then | |
| echo "⚠️ Warning: Potential secrets found in code" | |
| exit 1 | |
| fi | |
| echo "✅ No hardcoded secrets detected" | |
| - name: Validate configuration files | |
| run: | | |
| echo "🔍 Validating JSON configuration..." | |
| find config -name "*.json" -exec echo "Checking {}" \; -exec python3 -m json.tool {} \; | |
| echo "✅ Configuration files valid" | |
| - name: Check file permissions | |
| run: | | |
| echo "🔍 Checking for overly permissive files..." | |
| if find . -type f -perm /go+w ! -path "./.git/*" ! -path "./naab/*" ! -name "build.sh" ! -name "publish*.sh" -print | grep -q .; then | |
| echo "⚠️ World-writable files found (excluding build scripts)" | |
| find . -type f -perm /go+w ! -path "./.git/*" ! -path "./naab/*" ! -name "build.sh" ! -name "publish*.sh" | |
| exit 1 | |
| fi | |
| echo "✅ File permissions OK" |