Add AuditorSEC Governance Charter v1.0 (#225) #214
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Quality Gates | |
| on: | |
| push: | |
| branches: [ main, develop, safe-improvements ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| name: Security Scanning | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run security audit | |
| run: npm audit --audit-level=moderate | |
| - name: CodeQL Analysis | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| - name: SAST Scan with Semgrep | |
| run: | | |
| pip install semgrep | |
| semgrep --config=p/security-audit --config=p/secrets --config=p/owasp-top-ten . || echo "Semgrep scan completed with findings" | |
| continue-on-error: true | |
| - name: Dependency Check | |
| run: | | |
| npm audit --json > reports/npm-audit.json || true | |
| echo "Dependency check completed" | |
| continue-on-error: true | |
| - name: Upload security results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-scan-results | |
| path: reports/ | |
| if: always() | |
| code-quality: | |
| runs-on: ubuntu-latest | |
| name: Code Quality Check | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run ESLint | |
| run: npm run lint | |
| - name: Run tests with coverage | |
| run: npm run test:coverage | |
| - name: SonarCloud Scan | |
| run: | | |
| echo "SonarCloud scan would run here" | |
| echo "Skipping SonarCloud scan - token not configured" | |
| continue-on-error: true | |
| security-policy-check: | |
| runs-on: ubuntu-latest | |
| name: Security Policy Validation | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check security policy compliance | |
| run: | | |
| echo "Validating security policies..." | |
| # Check for required security files | |
| test -f SECURITY.md && echo "✅ SECURITY.md found" || echo "⚠️ SECURITY.md not found" | |
| test -f .github/SECURITY.md && echo "✅ .github/SECURITY.md found" || echo "⚠️ .github/SECURITY.md not found" | |
| # Validate security configuration | |
| test -f .github/dependabot.yml && echo "✅ dependabot.yml found" || echo "⚠️ dependabot.yml not found" | |
| # Check for security headers in web configs | |
| grep -r "Content-Security-Policy" . || echo "Warning: CSP headers not found" | |
| echo "Security policy validation completed" | |
| vulnerability-assessment: | |
| runs-on: ubuntu-latest | |
| name: Vulnerability Assessment | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run vulnerability scan | |
| run: | | |
| npm audit --audit-level=moderate || echo "npm audit completed with warnings" | |
| continue-on-error: true | |
| - name: OWASP ZAP Baseline Scan | |
| run: | | |
| echo "OWASP ZAP baseline scan would run here" | |
| echo "Skipping ZAP scan - requires running application" | |
| echo "✅ Vulnerability assessment placeholder completed" | |
| continue-on-error: true |