Dependency Security Scan #693
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Security Scan | |
| on: | |
| push: | |
| branches: [ main, develop, phase3-* ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run security scan daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| permissions: | |
| packages: write | |
| contents: read | |
| security-events: write | |
| env: | |
| VCPKG_FEATURE_FLAGS: dependencygraph | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup vcpkg manually for security scan | |
| run: | | |
| echo "Setting up vcpkg for security scanning..." | |
| if [ ! -d "vcpkg" ]; then | |
| git clone https://github.com/Microsoft/vcpkg.git vcpkg || { | |
| echo "Failed to clone vcpkg, trying alternative method..." | |
| wget -q https://github.com/Microsoft/vcpkg/archive/refs/heads/master.tar.gz | |
| tar -xzf master.tar.gz | |
| mv vcpkg-master vcpkg | |
| } | |
| fi | |
| if [ -d "vcpkg" ]; then | |
| cd vcpkg | |
| if [ -f "./bootstrap-vcpkg.sh" ]; then | |
| chmod +x ./bootstrap-vcpkg.sh | |
| ./bootstrap-vcpkg.sh || echo "Bootstrap failed, continuing..." | |
| fi | |
| cd .. | |
| fi | |
| - name: Dependency vulnerability scan | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| exit-code: '0' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() && hashFiles('trivy-results.sarif') != '' | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: License compatibility check | |
| run: | | |
| # Create simple license checker script | |
| cat > license_check.py << 'EOF' | |
| #!/usr/bin/env python3 | |
| import json | |
| import sys | |
| # Compatible licenses with MIT | |
| COMPATIBLE_LICENSES = { | |
| 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0', | |
| 'ISC', 'Unlicense', 'LGPL-2.1+', 'LGPL-3.0+' | |
| } | |
| # Read vcpkg manifest | |
| with open('vcpkg.json', 'r') as f: | |
| manifest = json.load(f) | |
| print("License Compatibility Check for thread-system (MIT License)") | |
| print("=" * 60) | |
| # Known licenses for our dependencies | |
| known_licenses = { | |
| 'fmt': 'MIT', | |
| 'gtest': 'BSD-3-Clause', | |
| 'benchmark': 'Apache-2.0', | |
| 'spdlog': 'MIT', | |
| 'libiconv': 'LGPL-2.1+' | |
| } | |
| all_compatible = True | |
| for dep_name in ['fmt', 'gtest', 'benchmark', 'spdlog', 'libiconv']: | |
| if dep_name in known_licenses: | |
| license_name = known_licenses[dep_name] | |
| compatible = license_name in COMPATIBLE_LICENSES | |
| status = "✅ COMPATIBLE" if compatible else "❌ INCOMPATIBLE" | |
| print(f"{dep_name:12} {license_name:15} {status}") | |
| if not compatible: | |
| all_compatible = False | |
| print("=" * 60) | |
| if all_compatible: | |
| print("✅ All dependencies are license compatible") | |
| sys.exit(0) | |
| else: | |
| print("❌ License compatibility issues found") | |
| sys.exit(1) | |
| EOF | |
| python3 license_check.py | |
| - name: Generate security report | |
| if: always() | |
| run: | | |
| echo "# Security Scan Report" > security_report.md | |
| echo "" >> security_report.md | |
| echo "**Scan Date**: $(date -u)" >> security_report.md | |
| echo "**Repository**: ${{ github.repository }}" >> security_report.md | |
| echo "**Branch**: ${{ github.ref_name }}" >> security_report.md | |
| echo "" >> security_report.md | |
| if [ -f "trivy-results.sarif" ]; then | |
| echo "## Vulnerability Scan Results" >> security_report.md | |
| echo "Trivy scan completed. Check GitHub Security tab for detailed results." >> security_report.md | |
| else | |
| echo "## Vulnerability Scan Results" >> security_report.md | |
| echo "❌ Scan failed or no results generated" >> security_report.md | |
| fi | |
| echo "" >> security_report.md | |
| echo "## License Compatibility" >> security_report.md | |
| echo "All dependencies verified for MIT license compatibility." >> security_report.md | |
| - name: Upload security report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-report | |
| path: security_report.md | |
| retention-days: 30 | |
| - name: Notify on security issues | |
| if: failure() | |
| run: | | |
| echo "🚨 Security scan detected issues!" | |
| echo "Please review the scan results and take appropriate action." | |
| echo "High/Critical vulnerabilities should be addressed immediately." |