build(deps): Bump envoyproxy/envoy from v1.37.2 to v1.38.0 in /authbridge/authproxy #277
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security Scans - Comprehensive security checks | |
| # | |
| # Jobs: | |
| # - Dependency Review (always) | |
| # - Shellcheck (shell scripts) | |
| # - YAML Lint (workflows) | |
| # - Hadolint (Dockerfiles) | |
| # - Bandit (Python security) | |
| # - Trivy (filesystem + IaC) | |
| # - CodeQL (Go + Python) | |
| # - Action Pinning (informational) | |
| # | |
| name: Security Scans | |
| on: | |
| pull_request: | |
| branches: [main] | |
| permissions: {} | |
| jobs: | |
| # ============================================================================ | |
| # Phase 0: Foundations | |
| # ============================================================================ | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| # TODO: Remove continue-on-error after enabling Dependency Graph in | |
| # repo Settings > Code security and analysis | |
| continue-on-error: true | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 | |
| with: | |
| fail-on-severity: moderate | |
| deny-licenses: GPL-3.0, AGPL-3.0 | |
| comment-summary-in-pr: never | |
| shellcheck: | |
| name: Shell Script Lint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install shellcheck | |
| run: sudo apt-get install -y shellcheck | |
| - name: Run shellcheck | |
| run: | | |
| SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null | grep -v ".git/" || true) | |
| if [ -z "$SCRIPTS" ]; then | |
| echo "No shell scripts found" | |
| exit 0 | |
| fi | |
| echo "Found scripts:" | |
| echo "$SCRIPTS" | |
| echo "" | |
| FAILED=0 | |
| for script in $SCRIPTS; do | |
| echo "Checking: $script" | |
| if ! shellcheck --severity=error "$script"; then | |
| FAILED=1 | |
| fi | |
| done | |
| if [ $FAILED -eq 1 ]; then | |
| echo "ERROR: Some scripts have shellcheck errors." | |
| exit 1 | |
| fi | |
| echo "All scripts passed shellcheck (error level)" | |
| # ============================================================================ | |
| # Phase A: Linting | |
| # ============================================================================ | |
| yamllint: | |
| name: YAML Lint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install yamllint | |
| run: pip install yamllint==1.* | |
| - name: Create config | |
| run: | | |
| cat > .yamllint.yaml << 'EOF' | |
| extends: relaxed | |
| rules: | |
| line-length: | |
| max: 150 | |
| level: warning | |
| truthy: | |
| check-keys: false | |
| document-start: disable | |
| comments: | |
| min-spaces-from-content: 1 | |
| indentation: | |
| spaces: 2 | |
| indent-sequences: whatever | |
| EOF | |
| - name: Lint YAML files | |
| run: | | |
| yamllint -c .yamllint.yaml \ | |
| .github/workflows/ || true | |
| echo "" | |
| echo "=== Summary ===" | |
| yamllint -c .yamllint.yaml -f parsable \ | |
| .github/workflows/ > /tmp/yamllint_output.txt 2>&1 || true | |
| ERROR_COUNT=$(grep -c ":error:" /tmp/yamllint_output.txt 2>/dev/null || echo "0") | |
| echo "Errors: $ERROR_COUNT" | |
| if [ "$ERROR_COUNT" -gt 0 ] 2>/dev/null; then | |
| echo "ERROR: YAML files have syntax errors." | |
| exit 1 | |
| fi | |
| # ============================================================================ | |
| # Phase B: Language-specific Security | |
| # ============================================================================ | |
| bandit: | |
| name: Python Security (Bandit) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Bandit | |
| run: pip install 'bandit[toml]==1.*' | |
| - name: Run Bandit security scan | |
| run: | | |
| echo "=== Bandit Python Security Scan ===" | |
| # Scan AuthBridge Python code and tests | |
| PYTHON_DIRS="" | |
| for dir in authbridge/client-registration authbridge tests; do | |
| if [ -d "$dir" ]; then | |
| PYTHON_DIRS="$PYTHON_DIRS $dir" | |
| fi | |
| done | |
| if [ -z "$PYTHON_DIRS" ]; then | |
| echo "No Python directories found" | |
| exit 0 | |
| fi | |
| echo "Scanning:$PYTHON_DIRS" | |
| echo "" | |
| # HIGH severity blocks the build | |
| HIGH_ISSUES=$(bandit -r $PYTHON_DIRS \ | |
| --severity-level high \ | |
| --confidence-level high \ | |
| --exclude '**/tests/*,**/.venv/*' \ | |
| -f json 2>/dev/null | jq '.results | length' 2>/dev/null || echo "0") | |
| if [ "$HIGH_ISSUES" -gt 0 ]; then | |
| echo "Found $HIGH_ISSUES HIGH severity issues:" | |
| bandit -r $PYTHON_DIRS \ | |
| --severity-level high \ | |
| --confidence-level high \ | |
| --exclude '**/tests/*,**/.venv/*' \ | |
| -f txt | |
| exit 1 | |
| fi | |
| # Informational scan | |
| echo "--- Full scan (informational) ---" | |
| bandit -r $PYTHON_DIRS \ | |
| --severity-level medium \ | |
| --confidence-level medium \ | |
| --exclude '**/tests/*,**/.venv/*' \ | |
| -f txt || true | |
| # ============================================================================ | |
| # Phase C: Container/IaC Security | |
| # ============================================================================ | |
| hadolint: | |
| name: Dockerfile Lint (Hadolint) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Find Dockerfiles | |
| id: find-dockerfiles | |
| run: | | |
| DOCKERFILES=$(find . -name "Dockerfile*" -type f 2>/dev/null | grep -v ".git/" || true) | |
| if [ -z "$DOCKERFILES" ]; then | |
| echo "has_dockerfiles=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "Found Dockerfiles:" | |
| echo "$DOCKERFILES" | |
| echo "has_dockerfiles=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Run Hadolint | |
| if: steps.find-dockerfiles.outputs.has_dockerfiles == 'true' | |
| uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 | |
| with: | |
| dockerfile: "**/Dockerfile*" | |
| recursive: true | |
| failure-threshold: error | |
| # DL3007: Using latest tag, DL3008/DL3013/DL3018: Unpinned packages | |
| # DL3015: No --no-install-recommends, DL3059: Multiple consecutive RUN | |
| # DL3002: Last USER is root (pre-existing), DL3062: Unversioned go install | |
| ignore: DL3002,DL3007,DL3008,DL3013,DL3015,DL3018,DL3059,DL3062 | |
| trivy-fs: | |
| name: Trivy Filesystem Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Dependency vulnerability scan (informational) | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| format: 'table' | |
| - name: IaC config scan (informational) | |
| # Informational until pre-existing K8s security issues are addressed | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| scan-type: 'config' | |
| scan-ref: '.' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| skip-dirs: 'authbridge/demos,authbridge/authproxy/quickstart' | |
| exit-code: '0' | |
| format: 'table' | |
| # ============================================================================ | |
| # Phase D: Advanced Security | |
| # ============================================================================ | |
| codeql: | |
| name: CodeQL Analysis (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| language: [go, python] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| action-pinning: | |
| name: Verify Action Pinning | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Check for unpinned GitHub Actions | |
| run: | | |
| echo "=== Checking for unpinned GitHub Actions ===" | |
| UNPINNED=$(grep -rh 'uses:' .github/workflows/ | grep -E 'uses:.*@' | grep -vE '@[0-9a-f]{40}' | sort -u || true) | |
| if [ -n "$UNPINNED" ]; then | |
| echo "::warning::Found actions not pinned to SHA commits:" | |
| echo "$UNPINNED" | |
| COUNT=$(echo "$UNPINNED" | wc -l | tr -d ' ') | |
| echo "Total unpinned actions: $COUNT" | |
| echo "NOTE: This check is informational." | |
| else | |
| echo "All actions are pinned to SHA commits!" | |
| fi | |
| exit 0 |