eliott/br-acc
1
0
Fork 0
mirror of https://github.com/kharonsec/br-acc synced 2026-04-25 17:15:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
d4179af665e695b0f292fb7e3a681775100b530e
br-acc/.github/workflows/security.yml
Davi Rezende d4179af665 feat(frontend/security): add npm audit to CI and document env guidelines (#41) 
* chore(ci): add npm audit job for frontend deps in security workflow

* docs(frontend/security): document VITE env and JWT storage in CONTRIBUTING

* fix(frontend): resolve high-severity npm audit (minimatch, rollup)

- npm audit fix for ReDoS in minimatch and path traversal in rollup
- Unblocks Security / NPM Audit (frontend) CI check per review

Made-with: Cursor

---------

Co-authored-by: Bruno César <bruno@sekai.cx>
2026-03-03 21:27:54 -03:00

145 lines
3.7 KiB
YAML
Raw Blame History

name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
gitleaks:
name: Gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install gitleaks
run: |
VERSION=8.24.2
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
| tar -xz
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/gitleaks
- name: Run gitleaks
run: gitleaks git . --no-banner --redact --gitleaks-ignore-path .gitleaksignore
bandit:
name: Bandit (Python)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install bandit
run: python -m pip install --upgrade pip bandit
- name: Run bandit
run: |
bandit -r api/src etl/src scripts \
-x api/tests,etl/tests \
-lll -iii
pip-audit:
name: Pip Audit (Python deps)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v5
with:
version: "latest"
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Export lock-compatible requirement sets
run: |
cd api
uv export --format requirements-txt --no-hashes --no-emit-project --no-emit-local > /tmp/api-requirements.txt
cd ../etl
uv export --format requirements-txt --no-hashes --no-emit-project --no-emit-local > /tmp/etl-requirements.txt
- name: Audit API dependencies
run: uvx pip-audit -r /tmp/api-requirements.txt --strict
- name: Audit ETL dependencies
run: uvx pip-audit -r /tmp/etl-requirements.txt --strict
npm-audit:
name: NPM Audit (frontend)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: frontend/package-lock.json
- name: Install frontend dependencies
run: cd frontend && npm ci
- name: Audit frontend dependencies
run: cd frontend && npm audit --audit-level=high
public-privacy-gate:
name: Public Privacy Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Validate public privacy contract
run: python scripts/check_public_privacy.py --repo-root .
compliance-pack-gate:
name: Compliance Pack Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Validate legal and ethics baseline
run: python scripts/check_compliance_pack.py --repo-root .
public-boundary-gate:
name: Public Boundary Gate
if: github.repository == 'brunoclz/world-transparency-graph'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Validate public edition scope
run: python scripts/check_open_core_boundary.py --repo-root .
internal-instruction-boundary:
name: Internal Instruction Boundary
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Ensure internal assistant files are not tracked
run: |
if git ls-files | grep -E '(^|/)(CLAUDE\.md|AGENTS.*\.md)$'; then
echo "Forbidden tracked files found: CLAUDE.md / AGENTS*.md"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink