rtk/.github/workflows/security-check.yml at master · ricatix/rtk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Security Check

on:
  pull_request:
    branches: [ master ]

permissions:
  contents: read
  pull-requests: write

env:
  CARGO_TERM_COLOR: always

jobs:
  security:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout PR
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Install cargo-audit
        run: cargo install cargo-audit

      - name: Cargo Audit (CVE check)
        run: |
          echo "## 🔍 Security Scan Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### 📦 Dependency Vulnerabilities" >> $GITHUB_STEP_SUMMARY
          if cargo audit 2>&1 | tee audit.log; then
            echo "✅ No known vulnerabilities detected" >> $GITHUB_STEP_SUMMARY
          else
            echo "⚠️ Vulnerabilities found:" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            cat audit.log >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "::warning::Dependency vulnerabilities detected - review required"
          fi
          echo "" >> $GITHUB_STEP_SUMMARY

      - name: Critical files check
        run: |
          echo "### 🎯 Critical Files Modified" >> $GITHUB_STEP_SUMMARY
          CRITICAL=$(git diff --name-only origin/master...HEAD | grep -E "(runner|summary|tracking|init|pnpm_cmd|container)\.rs|Cargo\.toml|workflows/.*\.yml" || true)
          if [ -n "$CRITICAL" ]; then
            echo "⚠️ **HIGH RISK**: The following critical files were modified:" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "$CRITICAL" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "**Required Actions:**" >> $GITHUB_STEP_SUMMARY
            echo "- [ ] Manual security review by 2 maintainers" >> $GITHUB_STEP_SUMMARY
            echo "- [ ] Verify no shell injection vectors" >> $GITHUB_STEP_SUMMARY
            echo "- [ ] Check input validation remains intact" >> $GITHUB_STEP_SUMMARY
            echo "::warning::Critical RTK files modified - enhanced review required"
          else
            echo "✅ No critical files modified" >> $GITHUB_STEP_SUMMARY
          fi
          echo "" >> $GITHUB_STEP_SUMMARY

      - name: Dangerous patterns scan
        run: |
          echo "### 🚨 Dangerous Code Patterns" >> $GITHUB_STEP_SUMMARY
          PATTERNS=$(git diff origin/master...HEAD | grep -E "Command::new\(\"sh\"|Command::new\(\"bash\"|\.env\(\"LD_PRELOAD|\.env\(\"PATH|reqwest::|std::net::|TcpStream|UdpSocket|unsafe \{|\.unwrap\(\) |panic!\(|todo!\(|unimplemented!\(" || true)
          if [ -n "$PATTERNS" ]; then
            echo "⚠️ **Potentially dangerous patterns detected:**" >> $GITHUB_STEP_SUMMARY
            echo '```diff' >> $GITHUB_STEP_SUMMARY
            echo "$PATTERNS" | head -30 >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "**Security Concerns:**" >> $GITHUB_STEP_SUMMARY
            echo "$PATTERNS" | grep -q "Command::new" && echo "- Shell command execution detected" >> $GITHUB_STEP_SUMMARY || true
            echo "$PATTERNS" | grep -q "\.env\(\"" && echo "- Environment variable manipulation" >> $GITHUB_STEP_SUMMARY || true
            echo "$PATTERNS" | grep -q "reqwest::\|std::net::\|TcpStream\|UdpSocket" && echo "- Network operations added" >> $GITHUB_STEP_SUMMARY || true
            echo "$PATTERNS" | grep -q "unsafe" && echo "- Unsafe code blocks" >> $GITHUB_STEP_SUMMARY || true
            echo "$PATTERNS" | grep -q "\.unwrap\(\)\|panic!\(" && echo "- Panic-inducing code" >> $GITHUB_STEP_SUMMARY || true
            echo "::warning::Dangerous code patterns detected - manual review required"
          else
            echo "✅ No dangerous patterns detected" >> $GITHUB_STEP_SUMMARY
          fi
          echo "" >> $GITHUB_STEP_SUMMARY

      - name: New dependencies check
        run: |
          echo "### 📚 Dependencies Changes" >> $GITHUB_STEP_SUMMARY
          if git diff origin/master...HEAD Cargo.toml | grep -E "^\+.*=" | grep -v "^\+\+\+" > new_deps.txt; then
            echo "⚠️ **New dependencies added:**" >> $GITHUB_STEP_SUMMARY
            echo '```toml' >> $GITHUB_STEP_SUMMARY
            cat new_deps.txt >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "**Required Actions:**" >> $GITHUB_STEP_SUMMARY
            echo "- [ ] Audit each new dependency on crates.io" >> $GITHUB_STEP_SUMMARY
            echo "- [ ] Check maintainer reputation and download counts" >> $GITHUB_STEP_SUMMARY
            echo "- [ ] Verify no typosquatting (e.g., 'reqwest' vs 'request')" >> $GITHUB_STEP_SUMMARY
            echo "::warning::New dependencies require supply chain audit"
          else
            echo "✅ No new dependencies added" >> $GITHUB_STEP_SUMMARY
          fi
          echo "" >> $GITHUB_STEP_SUMMARY

      - name: Clippy security lints
        run: |
          echo "### 🔧 Clippy Security Lints" >> $GITHUB_STEP_SUMMARY
          if cargo clippy --all-targets -- -W clippy::unwrap_used -W clippy::panic -W clippy::expect_used 2>&1 | tee clippy.log | grep -E "warning:|error:"; then
            echo "⚠️ Security-related lints triggered:" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            grep -E "warning:|error:" clippy.log | head -20 >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "::warning::Clippy security lints failed"
          else
            echo "✅ All security lints passed" >> $GITHUB_STEP_SUMMARY
          fi
          echo "" >> $GITHUB_STEP_SUMMARY

      - name: Summary verdict
        run: |
          echo "---" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### 🎯 Security Review Verdict" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**This is an automated security scan. A human maintainer must:**" >> $GITHUB_STEP_SUMMARY
          echo "1. Review all warnings above" >> $GITHUB_STEP_SUMMARY
          echo "2. Verify PR intent matches actual code changes" >> $GITHUB_STEP_SUMMARY
          echo "3. Check for subtle backdoors or logic bombs" >> $GITHUB_STEP_SUMMARY
          echo "4. Use \`/rtk-pr-security\` skill for comprehensive analysis" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**For high-risk PRs (critical files modified):**" >> $GITHUB_STEP_SUMMARY
          echo "- Require approval from 2 maintainers" >> $GITHUB_STEP_SUMMARY
          echo "- Test in isolated environment before merge" >> $GITHUB_STEP_SUMMARY