docs: Standardize README structure to 13-section format #1294
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dependency Security Scan Workflow for PACS System | |
| # Scans for vulnerabilities and license compliance | |
| # | |
| # Based on messaging_system security scan patterns | |
| name: Dependency Security Scan | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| schedule: | |
| # Run security scan daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| packages: write | |
| contents: read | |
| security-events: write | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| jobs: | |
| security-scan: | |
| name: Security Vulnerability Scan | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout pacs_system | |
| uses: actions/checkout@v4 | |
| - name: Dependency vulnerability scan | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| exit-code: '0' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() && hashFiles('trivy-results.sarif') != '' | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: License compatibility check | |
| run: | | |
| # Create license checker script | |
| cat > license_check.py << 'EOF' | |
| #!/usr/bin/env python3 | |
| import json | |
| import sys | |
| # Compatible licenses with BSD-3-Clause | |
| COMPATIBLE_LICENSES = { | |
| 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0', | |
| 'ISC', 'Unlicense', 'LGPL-2.1', 'LGPL-2.1+', 'LGPL-3.0+', 'Zlib', | |
| 'Public Domain', 'IJG/BSD-3-Clause', 'libpng-2.0', 'BSL-1.0' | |
| } | |
| print("License Compatibility Check for PACS System (BSD-3-Clause)") | |
| print("=" * 60) | |
| with open('dependency-manifest.json', 'r', encoding='utf-8') as f: | |
| manifest = json.load(f) | |
| known_licenses = {} | |
| for section in ('internal_ecosystem', 'native_and_system', 'fetched_content'): | |
| for dep in manifest.get(section, []): | |
| known_licenses[dep['name']] = dep['license'] | |
| all_compatible = True | |
| for dep_name, license_name in known_licenses.items(): | |
| compatible = license_name in COMPATIBLE_LICENSES | |
| status = "✅ COMPATIBLE" if compatible else "❌ INCOMPATIBLE" | |
| print(f"{dep_name:20} {license_name:15} {status}") | |
| if not compatible: | |
| all_compatible = False | |
| print("=" * 60) | |
| if all_compatible: | |
| print("✅ All dependencies are license compatible") | |
| sys.exit(0) | |
| else: | |
| print("❌ License compatibility issues found") | |
| sys.exit(1) | |
| EOF | |
| python3 license_check.py | |
| - name: Generate security report | |
| if: always() | |
| run: | | |
| echo "# Security Scan Report" > security_report.md | |
| echo "" >> security_report.md | |
| echo "**Scan Date**: $(date -u)" >> security_report.md | |
| echo "**Repository**: ${{ github.repository }}" >> security_report.md | |
| echo "**Branch**: ${{ github.ref_name }}" >> security_report.md | |
| echo "" >> security_report.md | |
| if [ -f "trivy-results.sarif" ]; then | |
| echo "## Vulnerability Scan Results" >> security_report.md | |
| echo "Trivy scan completed. Check GitHub Security tab for detailed results." >> security_report.md | |
| else | |
| echo "## Vulnerability Scan Results" >> security_report.md | |
| echo "❌ Scan failed or no results generated" >> security_report.md | |
| fi | |
| echo "" >> security_report.md | |
| echo "## License Compatibility" >> security_report.md | |
| echo "All dependencies verified for BSD-3-Clause license compatibility." >> security_report.md | |
| - name: Upload security report | |
| uses: actions/upload-artifact@v7 | |
| if: always() | |
| with: | |
| name: security-report | |
| path: security_report.md | |
| retention-days: 30 | |
| - name: Notify on security issues | |
| if: failure() | |
| run: | | |
| echo "🚨 Security scan detected issues!" | |
| echo "Please review the scan results and take appropriate action." | |
| echo "High/Critical vulnerabilities should be addressed immediately." | |
| npm-audit: | |
| name: npm Dependency Audit | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout pacs_system | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Install and audit npm dependencies | |
| working-directory: web | |
| run: | | |
| npm ci --ignore-scripts | |
| echo "## npm Audit Report" > ../npm-security-report.md | |
| echo "" >> ../npm-security-report.md | |
| echo "**Scan Date**: $(date -u)" >> ../npm-security-report.md | |
| echo "" >> ../npm-security-report.md | |
| npm audit --omit=dev 2>&1 >> ../npm-security-report.md || true | |
| - name: Check for high/critical vulnerabilities | |
| working-directory: web | |
| run: | | |
| # Fail only on high/critical production vulnerabilities | |
| npm audit --omit=dev --audit-level=high 2>&1 || echo "::warning::npm audit found high/critical vulnerabilities" | |
| - name: Upload npm audit report | |
| uses: actions/upload-artifact@v7 | |
| if: always() | |
| with: | |
| name: npm-security-report | |
| path: npm-security-report.md | |
| retention-days: 30 | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-24.04 | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout pacs_system | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: critical | |
| comment-summary-in-pr: always | |
| dicom-security-check: | |
| name: DICOM Security Check | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout pacs_system | |
| uses: actions/checkout@v4 | |
| - name: Check for DICOM security best practices | |
| run: | | |
| echo "# DICOM Security Best Practices Check" > dicom_security_report.md | |
| echo "" >> dicom_security_report.md | |
| # Check for TLS configuration | |
| echo "## TLS Configuration" >> dicom_security_report.md | |
| if grep -r "TLS\|SSL\|secure" --include="*.cpp" --include="*.hpp" --include="*.h" src/ include/ 2>/dev/null; then | |
| echo "✅ TLS/SSL references found in source code" >> dicom_security_report.md | |
| else | |
| echo "⚠️ No explicit TLS/SSL configuration found" >> dicom_security_report.md | |
| fi | |
| # Check for authentication | |
| echo "" >> dicom_security_report.md | |
| echo "## Authentication" >> dicom_security_report.md | |
| if grep -r "auth\|credential\|password" --include="*.cpp" --include="*.hpp" --include="*.h" src/ include/ 2>/dev/null; then | |
| echo "✅ Authentication-related code found" >> dicom_security_report.md | |
| else | |
| echo "⚠️ No explicit authentication handling found" >> dicom_security_report.md | |
| fi | |
| # Check for input validation | |
| echo "" >> dicom_security_report.md | |
| echo "## Input Validation" >> dicom_security_report.md | |
| if grep -r "validate\|sanitize\|check" --include="*.cpp" --include="*.hpp" --include="*.h" src/ include/ 2>/dev/null | head -5; then | |
| echo "✅ Input validation patterns found" >> dicom_security_report.md | |
| else | |
| echo "⚠️ Limited input validation found" >> dicom_security_report.md | |
| fi | |
| cat dicom_security_report.md | |
| - name: Upload DICOM security report | |
| uses: actions/upload-artifact@v7 | |
| if: always() | |
| with: | |
| name: dicom-security-report | |
| path: dicom_security_report.md | |
| retention-days: 30 |