lean-ctx/.github/workflows/security-check.yml at e135e7f75a35ee23cf8a4663a7cc4dc7428a291e · yvgude/lean-ctx · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Security Check

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  security:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check for dangerous patterns
        run: |
          echo "## Security Pattern Scan" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          FOUND=0

          # Check for unauthorized network libraries
          # Allowed: ureq (used for opt-in cloud sync, updates, error reports)
          # Allowed: std::net::TcpListener (used for local dashboard server)
          # Blocked: reqwest, hyper (heavy HTTP clients not needed)
          if grep -rn 'reqwest::' rust/src/ 2>/dev/null; then
            echo "::warning::Found reqwest usage — use ureq instead"
            echo "- ⚠️ Found reqwest usage (use ureq)" >> $GITHUB_STEP_SUMMARY
            FOUND=1
          fi
          if grep -rn 'hyper::' rust/src/ 2>/dev/null; then
            echo "::warning::Found hyper usage — use ureq instead"
            echo "- ⚠️ Found hyper usage (use ureq)" >> $GITHUB_STEP_SUMMARY
            FOUND=1
          fi

          # Check for unsafe code
          UNSAFE_COUNT=$(grep -rn 'unsafe {' rust/src/ 2>/dev/null | wc -l)
          if [ "$UNSAFE_COUNT" -gt 0 ]; then
            echo "::warning::Found $UNSAFE_COUNT unsafe blocks"
            echo "- ⚠️ Found $UNSAFE_COUNT unsafe blocks" >> $GITHUB_STEP_SUMMARY
            grep -rn 'unsafe {' rust/src/ >> $GITHUB_STEP_SUMMARY
            FOUND=1
          fi

          # Check for environment manipulation
          if grep -rn '\.env("LD_PRELOAD")' rust/src/ 2>/dev/null; then
            echo "::error::Found LD_PRELOAD manipulation — potential library hijacking"
            echo "- ❌ Found LD_PRELOAD manipulation" >> $GITHUB_STEP_SUMMARY
            FOUND=1
          fi
          if grep -rn '\.env("DYLD_' rust/src/ 2>/dev/null; then
            echo "::error::Found DYLD manipulation — potential library hijacking"
            echo "- ❌ Found DYLD manipulation" >> $GITHUB_STEP_SUMMARY
            FOUND=1
          fi

          # Check for hardcoded secrets patterns
          if grep -rn 'sk_live_\|sk_test_\|AKIA[0-9A-Z]\|ghp_[a-zA-Z0-9]' rust/src/ 2>/dev/null; then
            echo "::error::Found potential hardcoded secrets"
            echo "- ❌ Found potential hardcoded secrets" >> $GITHUB_STEP_SUMMARY
            FOUND=1
          fi

          # Check for shell injection vectors
          SHELL_INJECT=$(grep -rn 'Command::new("sh")\.arg("-c")\.arg(format!' rust/src/ 2>/dev/null | wc -l)
          if [ "$SHELL_INJECT" -gt 0 ]; then
            echo "::warning::Found $SHELL_INJECT potential shell injection vectors"
            echo "- ⚠️ Found $SHELL_INJECT shell injection patterns" >> $GITHUB_STEP_SUMMARY
            FOUND=1
          fi

          # Check for unwrap() in production code (excluding tests)
          UNWRAP_COUNT=$(grep -rn '\.unwrap()' rust/src/ 2>/dev/null | grep -v '#\[test\]' | grep -v 'mod tests' | wc -l)
          echo "- ℹ️ Found $UNWRAP_COUNT .unwrap() calls in src/" >> $GITHUB_STEP_SUMMARY

          if [ "$FOUND" -eq 0 ]; then
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "✅ No dangerous patterns detected" >> $GITHUB_STEP_SUMMARY
          fi

      - name: Proprietary code guardrail
        run: |
          echo "## Proprietary Code Guard" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          LEAK=0

          PRIVATE_PATHS="cloud/ docker-compose.yml .gitlab-ci.yml deploy.sh DEVELOPMENT.md Makefile.deploy"
          for path in $PRIVATE_PATHS; do
            if [ -e "$path" ]; then
              echo "::error::PROPRIETARY CODE DETECTED: $path exists in the GitHub repository!"
              echo "- **$path** — must not be on GitHub" >> $GITHUB_STEP_SUMMARY
              LEAK=1
            fi
          done

          if [ "$LEAK" -eq 1 ]; then
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "These paths belong on GitLab only. See .github-ignore." >> $GITHUB_STEP_SUMMARY
            exit 1
          fi

          echo "No proprietary code found." >> $GITHUB_STEP_SUMMARY

      - name: Critical files check
        if: github.event_name == 'pull_request'
        run: |
          echo "## Critical Files Modified" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          CRITICAL_FILES="rust/src/shell.rs rust/src/server.rs rust/src/hooks.rs rust/src/core/cache.rs rust/Cargo.toml .github/workflows"
          FOUND_CRITICAL=0

          for file in $CRITICAL_FILES; do
            if git diff --name-only origin/main...HEAD | grep -q "$file"; then
              echo "- ⚠️ **$file** modified (requires security review)" >> $GITHUB_STEP_SUMMARY
              FOUND_CRITICAL=1
            fi
          done

          if [ "$FOUND_CRITICAL" -eq 0 ]; then
            echo "✅ No critical files modified" >> $GITHUB_STEP_SUMMARY
          fi

      - name: Dependency audit
        run: |
          cargo install cargo-audit
          cd rust && cargo audit 2>&1 | tee audit-output.txt
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "## Dependency Audit" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          cat audit-output.txt >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY