database_system/.github/workflows/dependency-security-scan.yml at 11ba7c28a76931186ea5e0bc0ed3e8c1254af6c8 · kcenon/database_system · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: Dependency Security Scan

on:
  push:
    branches: [ main, develop, phase3-* ]
  pull_request:
    branches: [ main, develop ]
  schedule:
    # Run security scan daily at 2 AM UTC
    - cron: '0 2 * * *'

permissions:
  packages: write
  contents: read
  security-events: write

env:
  VCPKG_FEATURE_FLAGS: dependencygraph
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
  security-scan:
    if: github.ref != 'refs/heads/gh-pages'
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        submodules: true

    - name: Setup and install vcpkg dependencies
      uses: lukka/run-vcpkg@v11
      with:
        vcpkgDirectory: '${{ github.workspace }}/vcpkg'
        runVcpkgInstall: true
        vcpkgJsonGlob: '**/vcpkg.json'

    - name: Dependency vulnerability scan
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'sarif'
        output: 'trivy-results.sarif'
        severity: 'CRITICAL,HIGH,MEDIUM'
        exit-code: '0'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: always() && hashFiles('trivy-results.sarif') != ''
      with:
        sarif_file: 'trivy-results.sarif'

    - name: License compatibility check
      run: |
        # Create simple license checker script
        cat > license_check.py << 'EOF'
        #!/usr/bin/env python3
        import json
        import sys

        # Compatible licenses with MIT
        COMPATIBLE_LICENSES = {
            'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0',
            'ISC', 'Unlicense', 'LGPL-2.1+', 'LGPL-3.0+'
        }

        # Read vcpkg manifest
        with open('vcpkg.json', 'r') as f:
            manifest = json.load(f)

        print("License Compatibility Check for thread-system (MIT License)")
        print("=" * 60)

        # Known licenses for our dependencies
        known_licenses = {
            'fmt': 'MIT',
            'gtest': 'BSD-3-Clause',
            'benchmark': 'Apache-2.0',
            'spdlog': 'MIT',
            'libiconv': 'LGPL-2.1+'
        }

        all_compatible = True

        for dep_name in ['fmt', 'gtest', 'benchmark', 'spdlog', 'libiconv']:
            if dep_name in known_licenses:
                license_name = known_licenses[dep_name]
                compatible = license_name in COMPATIBLE_LICENSES
                status = "✅ COMPATIBLE" if compatible else "❌ INCOMPATIBLE"
                print(f"{dep_name:12} {license_name:15} {status}")
                if not compatible:
                    all_compatible = False

        print("=" * 60)
        if all_compatible:
            print("✅ All dependencies are license compatible")
            sys.exit(0)
        else:
            print("❌ License compatibility issues found")
            sys.exit(1)
        EOF

        python3 license_check.py

    - name: Generate security report
      if: always()
      run: |
        echo "# Security Scan Report" > security_report.md
        echo "" >> security_report.md
        echo "**Scan Date**: $(date -u)" >> security_report.md
        echo "**Repository**: ${{ github.repository }}" >> security_report.md
        echo "**Branch**: ${{ github.ref_name }}" >> security_report.md
        echo "" >> security_report.md

        if [ -f "trivy-results.sarif" ]; then
          echo "## Vulnerability Scan Results" >> security_report.md
          echo "Trivy scan completed. Check GitHub Security tab for detailed results." >> security_report.md
        else
          echo "## Vulnerability Scan Results" >> security_report.md
          echo "❌ Scan failed or no results generated" >> security_report.md
        fi

        echo "" >> security_report.md
        echo "## License Compatibility" >> security_report.md
        echo "All dependencies verified for MIT license compatibility." >> security_report.md

    - name: Upload security report
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: security-report
        path: security_report.md
        retention-days: 30

    - name: Notify on security issues
      if: failure()
      run: |
        echo "🚨 Security scan detected issues!"
        echo "Please review the scan results and take appropriate action."
        echo "High/Critical vulnerabilities should be addressed immediately."