|
18 | 18 | branches: [ "main" ] |
19 | 19 | schedule: |
20 | 20 | - cron: '34 20 * * 5' |
| 21 | + workflow_dispatch: |
| 22 | + inputs: |
| 23 | + test_email: |
| 24 | + description: 'Test email notification' |
| 25 | + required: false |
| 26 | + default: 'false' |
| 27 | + type: choice |
| 28 | + options: |
| 29 | + - 'false' |
| 30 | + - 'true' |
21 | 31 |
|
22 | 32 | jobs: |
23 | 33 | analyze: |
@@ -102,6 +112,95 @@ jobs: |
102 | 112 | with: |
103 | 113 | category: "/language:${{matrix.language}}" |
104 | 114 |
|
| 115 | + - name: Check for Security Issues |
| 116 | + id: check-security |
| 117 | + run: | |
| 118 | + # Check if SARIF results contain any security findings |
| 119 | + if [ -d "${{ github.workspace }}/.github/codeql-action/results" ]; then |
| 120 | + SARIF_FILES=$(find "${{ github.workspace }}/.github/codeql-action/results" -name "*.sarif" -type f 2>/dev/null || true) |
| 121 | + if [ -n "$SARIF_FILES" ]; then |
| 122 | + FINDINGS_COUNT=$(jq -r '.runs[].results | length' $SARIF_FILES 2>/dev/null | awk '{sum+=$1} END {print sum+0}') |
| 123 | + echo "findings_count=$FINDINGS_COUNT" >> $GITHUB_OUTPUT |
| 124 | + if [ "$FINDINGS_COUNT" -gt 0 ]; then |
| 125 | + echo "security_issues_found=true" >> $GITHUB_OUTPUT |
| 126 | + echo "Found $FINDINGS_COUNT security issues" |
| 127 | + else |
| 128 | + echo "security_issues_found=false" >> $GITHUB_OUTPUT |
| 129 | + echo "No security issues found" |
| 130 | + fi |
| 131 | + else |
| 132 | + echo "security_issues_found=false" >> $GITHUB_OUTPUT |
| 133 | + echo "No SARIF files found" |
| 134 | + fi |
| 135 | + else |
| 136 | + echo "security_issues_found=false" >> $GITHUB_OUTPUT |
| 137 | + echo "No CodeQL results directory found" |
| 138 | + fi |
| 139 | +
|
| 140 | + - name: Create Security Issue on Findings |
| 141 | + if: steps.check-security.outputs.security_issues_found == 'true' || github.event.inputs.test_email == 'true' |
| 142 | + uses: actions/github-script@v7 |
| 143 | + env: |
| 144 | + FINDINGS_COUNT: ${{ steps.check-security.outputs.findings_count }} |
| 145 | + BRANCH_NAME: ${{ github.ref_name }} |
| 146 | + COMMIT_SHA: ${{ github.sha }} |
| 147 | + REPOSITORY: ${{ github.repository }} |
| 148 | + RUN_NUMBER: ${{ github.run_number }} |
| 149 | + RUN_ID: ${{ github.run_id }} |
| 150 | + SERVER_URL: ${{ github.server_url }} |
| 151 | + MATRIX_LANGUAGE: ${{ matrix.language }} |
| 152 | + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} |
| 153 | + with: |
| 154 | + script: | |
| 155 | + // Safely handle potentially user-controlled data |
| 156 | + const findingsCount = process.env.FINDINGS_COUNT || '0'; |
| 157 | + const branchName = process.env.BRANCH_NAME || 'unknown'; |
| 158 | + const commitMessage = process.env.COMMIT_MESSAGE || 'Latest commit'; |
| 159 | + const commitSha = process.env.COMMIT_SHA || 'unknown'; |
| 160 | + const repository = process.env.REPOSITORY || 'unknown'; |
| 161 | + const runNumber = process.env.RUN_NUMBER || '0'; |
| 162 | + const runId = process.env.RUN_ID || '0'; |
| 163 | + const serverUrl = process.env.SERVER_URL || 'https://github.com'; |
| 164 | + const language = process.env.MATRIX_LANGUAGE || 'unknown'; |
| 165 | + |
| 166 | + // Sanitize inputs to prevent injection |
| 167 | + const sanitize = (str) => String(str).replace(/[<>&"']/g, (char) => { |
| 168 | + const map = { '<': '<', '>': '>', '&': '&', '"': '"', "'": ''' }; |
| 169 | + return map[char]; |
| 170 | + }); |
| 171 | + |
| 172 | + const title = `🚨 Security Issues Detected - ${sanitize(commitMessage)}`; |
| 173 | + const body = `## Security Alert |
| 174 | + |
| 175 | + CodeQL analysis has detected **${sanitize(findingsCount)}** security issue(s) in the codebase. |
| 176 | + |
| 177 | + ### Details: |
| 178 | + - **Repository**: ${sanitize(repository)} |
| 179 | + - **Branch**: ${sanitize(branchName)} |
| 180 | + - **Commit**: ${sanitize(commitSha)} |
| 181 | + - **Workflow Run**: [${sanitize(runNumber)}](${sanitize(serverUrl)}/${sanitize(repository)}/actions/runs/${sanitize(runId)}) |
| 182 | + - **Language**: ${sanitize(language)} |
| 183 | + |
| 184 | + ### Action Required: |
| 185 | + Please review the security findings immediately: |
| 186 | + - [View Security Tab](${sanitize(serverUrl)}/${sanitize(repository)}/security/code-scanning) |
| 187 | + - [View Workflow Run](${sanitize(serverUrl)}/${sanitize(repository)}/actions/runs/${sanitize(runId)}) |
| 188 | + |
| 189 | + ### Assignees: |
| 190 | + @elvin03 please review and address these security issues. |
| 191 | + |
| 192 | + --- |
| 193 | + *This issue was automatically created by the CodeQL security workflow.*`; |
| 194 | + |
| 195 | + await github.rest.issues.create({ |
| 196 | + owner: context.repo.owner, |
| 197 | + repo: context.repo.repo, |
| 198 | + title: title, |
| 199 | + body: body, |
| 200 | + labels: ['security', 'automated', 'high-priority'], |
| 201 | + assignees: ['elvin03'] |
| 202 | + }); |
| 203 | +
|
105 | 204 | - name: Generate Security Report |
106 | 205 | uses: rsdmike/github-security-report-action@v3.0.4 |
107 | 206 | with: |
|
0 commit comments