test(cli): expand scan.py coverage from 51% to 96% #26
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| # Consolidated security workflow. Replaces the standalone CodeQL workflow and | |
| # the 18-tool "comprehensive" arsenal with a focused, high-signal set whose | |
| # findings all land in the Security tab as SARIF: | |
| # | |
| # * CodeQL deep SAST (Python + JS/TS), security-and-quality queries | |
| # * Semgrep repo-specific invariants (.semgrep/decepticon-rules.yml), | |
| # hard gate on ERROR-severity findings | |
| # * Trivy dependency CVEs (fs) + IaC/Dockerfile misconfig (config) | |
| # * TruffleHog verified-secret detection across the PR diff | |
| # * Dependency review flags vulnerable / disallowed-license new deps on PRs | |
| # | |
| # Style / format / lint (ruff, shellcheck, hadolint, typos, gitleaks) run in | |
| # pre-commit (.pre-commit-config.yaml), with ruff additionally enforced by the | |
| # CI `python` job. They are intentionally NOT duplicated here — this workflow | |
| # is for security signal, not style. | |
| concurrency: | |
| group: security-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - "*.md" | |
| - LICENSE | |
| - docs/** | |
| - assets/** | |
| - .gitignore | |
| pull_request: | |
| branches: [main] | |
| paths-ignore: | |
| - "*.md" | |
| - LICENSE | |
| - docs/** | |
| - assets/** | |
| - .gitignore | |
| schedule: | |
| # Weekly re-scan so newly-disclosed CVEs surface on an unchanged tree. | |
| - cron: "27 4 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| codeql: | |
| name: CodeQL (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [python, javascript-typescript] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-and-quality | |
| - uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| semgrep: | |
| name: Semgrep (repo rules — hard gate) | |
| runs-on: ubuntu-latest | |
| container: | |
| image: semgrep/semgrep:latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Blocks the run on ERROR-severity findings from the repo's own rules | |
| # (e.g. no hardcoded default LiteLLM key). Public rule packs are covered | |
| # by CodeQL's security-and-quality suite and are not re-run here. | |
| - name: Custom Decepticon rules (blocking on ERROR) | |
| run: | | |
| semgrep scan \ | |
| --error \ | |
| --metrics=off \ | |
| --severity=ERROR \ | |
| --sarif --sarif-output=semgrep.sarif \ | |
| --config=.semgrep/decepticon-rules.yml \ | |
| --exclude=node_modules --exclude=.venv --exclude=dist --exclude=build \ | |
| --exclude=benchmark/xbow-validation-benchmarks \ | |
| --exclude=benchmark/MHBench | |
| - name: Upload Semgrep SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: semgrep.sarif | |
| category: semgrep | |
| trivy: | |
| name: Trivy (deps + IaC config) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Trivy filesystem scan (dependency CVEs) | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| format: sarif | |
| output: trivy-fs.sarif | |
| severity: CRITICAL,HIGH,MEDIUM | |
| ignore-unfixed: true | |
| exit-code: "0" | |
| - name: Trivy config scan (Dockerfile / compose misconfig) | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| scan-type: config | |
| scan-ref: . | |
| format: sarif | |
| output: trivy-config.sarif | |
| severity: CRITICAL,HIGH,MEDIUM | |
| exit-code: "0" | |
| - name: Upload Trivy fs SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-fs.sarif | |
| category: trivy-fs | |
| - name: Upload Trivy config SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-config.sarif | |
| category: trivy-config | |
| secrets: | |
| name: Secret scan (TruffleHog) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS (verified secrets) | |
| uses: trufflesecurity/trufflehog@v3.82.13 | |
| with: | |
| path: ./ | |
| base: ${{ github.event.pull_request.base.sha || github.event.before || '' }} | |
| head: ${{ github.event.pull_request.head.sha || github.sha }} | |
| extra_args: --only-verified | |
| dependency-review: | |
| name: Dependency review | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Advisory until the repo's dependency graph is confirmed enabled; flip | |
| # off continue-on-error to hard-gate vulnerable / bad-license new deps. | |
| - name: Dependency review | |
| uses: actions/dependency-review-action@v4 | |
| continue-on-error: true | |
| with: | |
| fail-on-severity: high | |
| comment-summary-in-pr: on-failure | |
| retry-on-snapshot-warnings: true |