Toxic/minecraft-renew-mod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
minecraft-renew-mod/.gitea/workflows/security-scan.yml
ToxicCrzay270 5e6a3e0450
Some checks failed
Build / build (push) Successful in 6m29s
Details
Release Dry Run / release-dry-run (push) Failing after 11s
Details
Codex Template Compliance / template-compliance (push) Successful in 4s
Details
Initial Minecraft Renew Mod workspace
2026-05-15 00:42:16 +02:00

132 lines
3.7 KiB
YAML
Raw Permalink Blame History

name: Scheduled Security Scan
on:
schedule:
- cron: "17 3 * * 1"
workflow_dispatch:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: "21"
- name: Gradle dependency report
working-directory: create-limited-draining
run: ./gradlew dependencies --configuration runtimeClasspath --no-daemon
- name: Suspicious code pattern scan
shell: bash
run: |
grep_excludes=(
--exclude-dir=.git
--exclude-dir=.codex-agent-repository-kit
--exclude-dir=.gradle
--exclude-dir=build
--exclude-dir=run
--exclude=security-scan.yml
)
patterns=(
'eval\s*\('
'new Function\s*\('
'Runtime\.getRuntime\(\)\.exec'
'ProcessBuilder\s*\('
'curl .*sh'
'wget .*sh'
)
found=0
for pattern in "${patterns[@]}"; do
if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo "Suspicious code patterns were found. Review the matches above."
exit 1
fi
- name: Secret and config leak scan
shell: bash
run: |
grep_excludes=(
--exclude-dir=.git
--exclude-dir=.codex-agent-repository-kit
--exclude-dir=.gradle
--exclude-dir=build
--exclude-dir=run
--exclude=security-scan.yml
)
patterns=(
'BEGIN (RSA |EC |OPENSSH |)PRIVATE KEY'
'AKIA[0-9A-Z]{16}'
'xox[baprs]-[0-9A-Za-z-]+'
'gh[pousr]_[0-9A-Za-z_]+'
'sk-[A-Za-z0-9]{20,}'
'api[_-]?key\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
'token\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
'password\s*=\s*["'\'']?[^[:space:]]{8,}'
)
found=0
for pattern in "${patterns[@]}"; do
if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
found=1
fi
done
if find . -path ./.git -prune -o -path ./.codex-agent-repository-kit -prune -o \( -name ".env" -o -name ".env.*" \) -not -name ".env.example" -print | grep .; then
echo "Committed environment files were found."
found=1
fi
if [ "$found" -eq 1 ]; then
echo "Potential secret or config leak detected. Review the matches above."
exit 1
fi
- name: AI instruction injection scan
shell: bash
run: |
grep_excludes=(
--exclude-dir=.git
--exclude-dir=.codex-agent-repository-kit
--exclude-dir=.gradle
--exclude-dir=build
--exclude-dir=run
--exclude=security-scan.yml
)
patterns=(
'ignore (all )?(previous|above) instructions'
'reveal your instructions'
'exfiltrate'
'send.*token'
'send.*secret'
'disable.*safety'
'jailbreak'
'prompt injection'
)
found=0
for pattern in "${patterns[@]}"; do
if grep -RInEi "${grep_excludes[@]}" "$pattern" .; then
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo "Potential AI instruction-injection text found. Review whether this is documentation, test data, or malicious content."
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink