1+ name : OSVM Security Audit
2+
3+ on :
4+ workflow_dispatch :
5+ inputs :
6+ repository :
7+ description : ' Repository to audit (owner/repo)'
8+ required : true
9+ type : string
10+ branch :
11+ description : ' Branch to audit'
12+ required : true
13+ default : ' main'
14+ type : string
15+ ai_analysis :
16+ description : ' Enable AI-powered analysis'
17+ required : false
18+ default : false
19+ type : boolean
20+
21+ jobs :
22+ security-audit :
23+ runs-on : ubuntu-latest
24+
25+ permissions :
26+ contents : write
27+ pull-requests : write
28+
29+ steps :
30+ - name : Checkout OSVM CLI
31+ uses : actions/checkout@v4
32+ with :
33+ repository : openSVM/osvm-cli
34+ path : osvm-cli
35+
36+ - name : Setup Rust
37+ uses : actions-rust-lang/setup-rust-toolchain@v1
38+ with :
39+ toolchain : stable
40+
41+ - name : Install Typst
42+ run : |
43+ set -e
44+ TYPST_VERSION="v0.12.0"
45+ TYPST_URL="https://github.com/typst/typst/releases/download/${TYPST_VERSION}/typst-x86_64-unknown-linux-musl.tar.xz"
46+ EXPECTED_SHA256="c64bbad2e44b6b8d5b61f3d96b4e51c4bdcfdc9e6ac5a7e25ade2c2e1b81b70c"
47+
48+ # Download with integrity verification
49+ curl -fsSL "$TYPST_URL" -o typst.tar.xz
50+ echo "${EXPECTED_SHA256} typst.tar.xz" | sha256sum -c || {
51+ echo "❌ Typst checksum verification failed"
52+ exit 1
53+ }
54+
55+ tar -xf typst.tar.xz
56+ sudo mv typst-x86_64-unknown-linux-musl/typst /usr/local/bin/
57+ rm -rf typst.tar.xz typst-x86_64-unknown-linux-musl/
58+ typst --version
59+
60+ name : Build OSVM CLI
61+ run : |
62+ cd osvm-cli
63+ cargo build --release
64+
65+ name : Run tests
66+ run : |
67+ cd osvm-cli
68+ cargo test --release
69+
70+ name : Setup Git for audit commits
71+ run : |
72+ set -e
73+ # Use local git config to avoid affecting other jobs
74+ cd osvm-cli
75+ git config user.name "OSVM Security Audit Bot"
76+ git config user.email "[email protected] " 77+
78+ name : Run Security Audit
79+ env :
80+ OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
81+ run : |
82+ set -e
83+ cd osvm-cli
84+ AI_FLAG=""
85+ if [ "${{ github.event.inputs.ai_analysis }}" == "true" ]; then
86+ AI_FLAG="--ai-analysis"
87+ fi
88+ ./target/release/osvm audit \
89+ --gh "${{ github.event.inputs.repository }}#${{ github.event.inputs.branch }}" \
90+ --format both \
91+ --verbose \
92+ ${AI_FLAG} || {
93+ echo "❌ Security audit failed or found critical issues"
94+ echo "📋 This is expected behavior for repositories with security vulnerabilities"
95+ exit 1
96+ }
97+
98+ name : Create audit summary
99+ id : audit_summary
100+ if : always()
101+ run : |
102+ set -e
103+ cd osvm-cli
104+ echo "## 🔍 OSVM Security Audit Completed" >> $GITHUB_STEP_SUMMARY
105+ echo "" >> $GITHUB_STEP_SUMMARY
106+ echo "**Repository:** ${{ github.event.inputs.repository }}" >> $GITHUB_STEP_SUMMARY
107+ echo "**Branch:** ${{ github.event.inputs.branch }}" >> $GITHUB_STEP_SUMMARY
108+ echo "**AI Analysis:** ${{ github.event.inputs.ai_analysis }}" >> $GITHUB_STEP_SUMMARY
109+ echo "**Timestamp:** $(date -u)" >> $GITHUB_STEP_SUMMARY
110+ echo "" >> $GITHUB_STEP_SUMMARY
111+ echo "A new audit branch has been created in the target repository with:" >> $GITHUB_STEP_SUMMARY
112+ echo "- 📄 Typst audit report source" >> $GITHUB_STEP_SUMMARY
113+ echo "- 📋 PDF audit report (if Typst compilation succeeded)" >> $GITHUB_STEP_SUMMARY
114+ echo "- 🔍 Comprehensive security findings and recommendations" >> $GITHUB_STEP_SUMMARY
115+ echo "" >> $GITHUB_STEP_SUMMARY
116+ echo "Check the target repository for the new audit branch starting with \`osvm-audit-\`" >> $GITHUB_STEP_SUMMARY
117+ echo "" >> $GITHUB_STEP_SUMMARY
118+ if [ "${{ job.status }}" != "success" ]; then
119+ echo "⚠️ **Note:** Audit process exited with code 1, indicating critical or high-severity security findings were detected." >> $GITHUB_STEP_SUMMARY
120+ echo "This is intended behavior to alert CI/CD systems about security issues that require attention." >> $GITHUB_STEP_SUMMARY
121+ fi
0 commit comments