tracker-tracker/.github/workflows/security-audit.yml at main · bitglows/tracker-tracker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
name: Security Audit

on:
  push:
    branches: [main]
  pull_request:
    branches: [main, development]

permissions:
  contents: read
  pull-requests: write
  issues: write

jobs:
  audit:
    name: Security Audit
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v6

      - uses: pnpm/action-setup@v5

      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Check for known dependency vulnerabilities
        run: pnpm audit --audit-level=high || echo "::warning::pnpm audit found high-severity vulnerabilities"

      - name: Verify security test count
        run: |
          COUNT=$(pnpm test:run -- src/lib/__tests__/security.test.ts 2>&1 \
            | sed 's/\x1b\[[0-9;]*m//g' \
            | grep 'security\.test\.ts' \
            | grep -oE '[0-9]+ test' \
            | grep -oE '[0-9]+')
          echo "Security tests: $COUNT"
          if [ "$COUNT" -lt 106 ]; then
            echo "::error::Security test count dropped below expected minimum (106). Was a test removed?"
            exit 1
          fi

      - name: Run security audit
        id: security-audit
        continue-on-error: true
        run: |
          pnpm exec tsx scripts/security-audit.ts > /tmp/security-results.json; echo "audit_exit=$?" >> "$GITHUB_OUTPUT"
          cat /tmp/security-results.json

      - name: Verify audit check count
        run: |
          if [ ! -f /tmp/security-results.json ]; then
            echo "::error::Security audit produced no output"
            exit 1
          fi
          TOTAL=$(python3 -c "import json; print(json.load(open('/tmp/security-results.json'))['summary']['total'])")
          echo "Audit checks: $TOTAL"
          if [ "$TOTAL" -lt 36 ]; then
            echo "::error::Audit check count dropped below expected minimum (36). Was a check removed?"
            exit 1
          fi

      - name: Comment on PR with security audit results
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v8
        with:
          script: |
            const fs = require('fs');
            let data;
            try {
              const raw = fs.readFileSync('/tmp/security-results.json', 'utf8');
              data = JSON.parse(raw);
            } catch {
              console.log('No security audit results to comment on.');
              return;
            }

            const { results, summary } = data;
            const hasCritical = summary.critical > 0;
            const hasWarning = summary.warning > 0;

            const icon = hasCritical ? '🚫' : hasWarning ? '⚠️' : '✅';
            const title = hasCritical
              ? `${icon} Security audit failed`
              : hasWarning
                ? `${icon} Security audit passed with warnings`
                : `${icon} Security audit passed`;

            const lines = [`**${title}**`, ''];

            const criticalFails = results.filter(r => r.severity === 'critical' && r.status === 'fail');
            if (criticalFails.length > 0) {
              lines.push('### Critical Failures');
              lines.push('');
              lines.push('| Check | File | Details |');
              lines.push('|---|---|---|');
              for (const r of criticalFails) {
                for (const f of r.findings) {
                  const loc = f.line ? `${f.file}:${f.line}` : f.file;
                  lines.push(`| ${r.name} | \`${loc}\` | ${f.detail} |`);
                }
              }
              lines.push('');
            }

            const warningFails = results.filter(r => r.severity === 'warning' && r.status === 'fail');
            if (warningFails.length > 0) {
              lines.push('### Warnings');
              lines.push('');
              lines.push('| Check | File | Details |');
              lines.push('|---|---|---|');
              for (const r of warningFails) {
                for (const f of r.findings) {
                  const loc = f.line ? `${f.file}:${f.line}` : f.file;
                  lines.push(`| ${r.name} | \`${loc}\` | ${f.detail} |`);
                }
              }
              lines.push('');
            }

            const passed = results.filter(r => r.status === 'pass');
            if (passed.length > 0) {
              lines.push(`### Passed (${passed.length}/${results.length})`);
              lines.push('');
              for (const r of passed) {
                lines.push(`- ✅ ${r.name}`);
              }
              lines.push('');
            }

            lines.push('---');
            lines.push(`**Summary:** ${summary.passed}/${summary.total} checks passed`);
            if (summary.critical > 0) lines.push(` — **${summary.critical} critical failure(s)**`);
            if (summary.warning > 0) lines.push(` — ${summary.warning} warning(s)`);
            lines.push('');
            lines.push('See `scripts/security-audit.ts` for check definitions and `SECURITY.md` for the full security architecture.');

            const body = lines.join('\n');

            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
            });
            const marker = 'Security audit';
            const existing = comments.find(c =>
              c.user?.login === 'github-actions[bot]' &&
              c.body?.includes(marker)
            );
            if (existing) {
              await github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: existing.id,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body,
              });
            }

      - name: Alert if security audit script was modified
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v8
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GH_TOKEN: ${{ github.token }}
        with:
          script: |
            const { data: prFiles } = await github.rest.pulls.listFiles({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number,
              per_page: 100,
            });
            const files = prFiles.map(f => f.filename);

            const auditFiles = files.filter(f =>
              f === 'scripts/security-audit.ts' ||
              f === 'src/lib/__tests__/security.test.ts'
            );

            if (auditFiles.length === 0) return;

            const marker = 'Security audit file modification';
            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
            });
            const existing = comments.find(c =>
              c.user?.login === 'github-actions[bot]' &&
              c.body?.includes(marker)
            );

            const body = [
              `**\u{1F6A8} ${marker} detected**`,
              '',
              'The following security-critical files were changed in this PR:',
              '',
              ...auditFiles.map(f => `- \`${f}\``),
              '',
              'These files guard the security posture of the project. Please review these changes carefully to ensure no checks were weakened or removed.',
            ].join('\n');

            if (existing) {
              await github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: existing.id,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body,
              });
            }

      - name: Fail if security audit has critical findings
        if: steps.security-audit.outputs.audit_exit != '0'
        run: exit 1