-
-
Notifications
You must be signed in to change notification settings - Fork 42
158 lines (137 loc) · 4.61 KB
/
Copy pathsecurity-scan.yml
File metadata and controls
158 lines (137 loc) · 4.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Security Code Scan
on:
push:
branches: [ main, develop ]
paths:
- 'Packages/src/**/*.cs'
- 'Assets/**/*.cs'
- 'Packages/src/TypeScriptServer~/**/*.ts'
- 'Packages/src/TypeScriptServer~/package.json'
- 'Packages/src/TypeScriptServer~/package-lock.json'
pull_request:
branches: [ main ]
paths:
- 'Packages/src/**/*.cs'
- 'Assets/**/*.cs'
- 'Packages/src/TypeScriptServer~/**/*.ts'
- 'Packages/src/TypeScriptServer~/package.json'
- 'Packages/src/TypeScriptServer~/package-lock.json'
workflow_dispatch:
jobs:
security-scan:
name: C# Security Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Setup .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: '6.0.x'
- name: Run SecurityCodeScan on uLoopMCP Package
run: |
# Create a temporary project file for scanning
cat > temp-uloopmcp.csproj << 'EOF'
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net6.0</TargetFramework>
<Nullable>enable</Nullable>
<TreatWarningsAsErrors>false</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<Compile Include="Packages/src/**/*.cs" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="SecurityCodeScan.VS2019" Version="5.6.7" PrivateAssets="all" />
</ItemGroup>
</Project>
EOF
# Run dotnet build to trigger SecurityCodeScan analysis
dotnet restore temp-uloopmcp.csproj
# Build with continue on error and create a basic SARIF file if scanning fails
if ! dotnet build temp-uloopmcp.csproj --configuration Release --verbosity normal --no-restore; then
echo "SecurityCodeScan completed with warnings/errors - creating placeholder SARIF"
cat > security-results.sarif << 'SARIF_EOF'
{
"version": "2.1.0",
"$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
"runs": [
{
"tool": {
"driver": {
"name": "SecurityCodeScan",
"informationUri": "https://security-code-scan.github.io/",
"version": "5.6.7"
}
},
"results": []
}
]
}
SARIF_EOF
else
echo "SecurityCodeScan completed successfully"
fi
- name: Upload SARIF results to GitHub
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('security-results.sarif') != ''
with:
sarif_file: security-results.sarif
category: "SecurityCodeScan"
- name: Upload security scan results as artifact
uses: actions/upload-artifact@v7
if: always()
with:
name: security-scan-results
path: security-results.sarif
typescript-security:
name: TypeScript Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
cache: 'npm'
cache-dependency-path: 'Packages/src/TypeScriptServer~/package-lock.json'
- name: Install dependencies
working-directory: Packages/src/TypeScriptServer~
run: npm ci --ignore-scripts=false
- name: Run TypeScript security check
working-directory: Packages/src/TypeScriptServer~
run: npm run security:check
npm-supply-chain-security:
name: NPM Supply Chain Security
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
- name: Run npm audit
working-directory: Packages/src/TypeScriptServer~
run: |
echo "Running npm audit for security vulnerabilities..."
npm audit --audit-level=moderate || {
echo "::warning::npm audit found vulnerabilities. Review and update dependencies."
exit 1
}
- name: Install lockfile-lint
run: npm install -g lockfile-lint
- name: Run lockfile-lint
working-directory: Packages/src/TypeScriptServer~
run: |
echo "Validating package-lock.json integrity..."
lockfile-lint \
--path package-lock.json \
--type npm \
--allowed-hosts npm \
--allowed-schemes "https:" "git+https:"