132 lines
3.7 KiB
YAML
132 lines
3.7 KiB
YAML
name: Scheduled Security Scan
|
|
|
|
on:
|
|
schedule:
|
|
- cron: "17 3 * * 1"
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Java
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: temurin
|
|
java-version: "21"
|
|
|
|
- name: Gradle dependency report
|
|
working-directory: create-limited-draining
|
|
run: ./gradlew dependencies --configuration runtimeClasspath --no-daemon
|
|
|
|
- name: Suspicious code pattern scan
|
|
shell: bash
|
|
run: |
|
|
grep_excludes=(
|
|
--exclude-dir=.git
|
|
--exclude-dir=.codex-agent-repository-kit
|
|
--exclude-dir=.gradle
|
|
--exclude-dir=build
|
|
--exclude-dir=run
|
|
--exclude=security-scan.yml
|
|
)
|
|
|
|
patterns=(
|
|
'eval\s*\('
|
|
'new Function\s*\('
|
|
'Runtime\.getRuntime\(\)\.exec'
|
|
'ProcessBuilder\s*\('
|
|
'curl .*sh'
|
|
'wget .*sh'
|
|
)
|
|
|
|
found=0
|
|
for pattern in "${patterns[@]}"; do
|
|
if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
|
|
found=1
|
|
fi
|
|
done
|
|
|
|
if [ "$found" -eq 1 ]; then
|
|
echo "Suspicious code patterns were found. Review the matches above."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Secret and config leak scan
|
|
shell: bash
|
|
run: |
|
|
grep_excludes=(
|
|
--exclude-dir=.git
|
|
--exclude-dir=.codex-agent-repository-kit
|
|
--exclude-dir=.gradle
|
|
--exclude-dir=build
|
|
--exclude-dir=run
|
|
--exclude=security-scan.yml
|
|
)
|
|
|
|
patterns=(
|
|
'BEGIN (RSA |EC |OPENSSH |)PRIVATE KEY'
|
|
'AKIA[0-9A-Z]{16}'
|
|
'xox[baprs]-[0-9A-Za-z-]+'
|
|
'gh[pousr]_[0-9A-Za-z_]+'
|
|
'sk-[A-Za-z0-9]{20,}'
|
|
'api[_-]?key\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
|
|
'token\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
|
|
'password\s*=\s*["'\'']?[^[:space:]]{8,}'
|
|
)
|
|
|
|
found=0
|
|
for pattern in "${patterns[@]}"; do
|
|
if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
|
|
found=1
|
|
fi
|
|
done
|
|
|
|
if find . -path ./.git -prune -o -path ./.codex-agent-repository-kit -prune -o \( -name ".env" -o -name ".env.*" \) -not -name ".env.example" -print | grep .; then
|
|
echo "Committed environment files were found."
|
|
found=1
|
|
fi
|
|
|
|
if [ "$found" -eq 1 ]; then
|
|
echo "Potential secret or config leak detected. Review the matches above."
|
|
exit 1
|
|
fi
|
|
|
|
- name: AI instruction injection scan
|
|
shell: bash
|
|
run: |
|
|
grep_excludes=(
|
|
--exclude-dir=.git
|
|
--exclude-dir=.codex-agent-repository-kit
|
|
--exclude-dir=.gradle
|
|
--exclude-dir=build
|
|
--exclude-dir=run
|
|
--exclude=security-scan.yml
|
|
)
|
|
|
|
patterns=(
|
|
'ignore (all )?(previous|above) instructions'
|
|
'reveal your instructions'
|
|
'exfiltrate'
|
|
'send.*token'
|
|
'send.*secret'
|
|
'disable.*safety'
|
|
'jailbreak'
|
|
'prompt injection'
|
|
)
|
|
|
|
found=0
|
|
for pattern in "${patterns[@]}"; do
|
|
if grep -RInEi "${grep_excludes[@]}" "$pattern" .; then
|
|
found=1
|
|
fi
|
|
done
|
|
|
|
if [ "$found" -eq 1 ]; then
|
|
echo "Potential AI instruction-injection text found. Review whether this is documentation, test data, or malicious content."
|
|
exit 1
|
|
fi
|