mirror of
https://github.com/glittercowboy/get-shit-done
synced 2026-04-25 17:25:23 +02:00
feec5a37a2
Add CI security pipeline to catch prompt injection attacks, base64-obfuscated payloads, leaked secrets, and .planning/ directory commits in PRs. This is critical for get-shit-done because the entire codebase is markdown prompts — a prompt injection in a workflow file IS the attack surface. New files: - scripts/prompt-injection-scan.sh: scans for instruction override, role manipulation, system boundary injection, DAN/jailbreak, and tool call injection patterns in changed files - scripts/base64-scan.sh: extracts base64 blobs >= 40 chars, decodes them, and checks decoded content against injection patterns (skips data URIs and binary content) - scripts/secret-scan.sh: detects AWS keys, OpenAI/Anthropic keys, GitHub PATs, Stripe keys, private key headers, and generic credential patterns - .github/workflows/security-scan.yml: runs all three scans plus a .planning/ directory check on every PR - .base64scanignore / .secretscanignore: per-repo false positive allowlists - tests/security-scan.test.cjs: 51 tests covering script existence, pattern matching, false positive avoidance, and workflow structure All scripts support --diff (CI), --file, and --dir modes. Cross-platform (macOS + Linux). SHA-pinned actions. Environment variables used for github context in run blocks (no direct interpolation). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
61 lines
1.9 KiB
YAML
61 lines
1.9 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Prompt injection scan
|
|
env:
|
|
BASE_REF: ${{ github.base_ref }}
|
|
run: |
|
|
chmod +x scripts/prompt-injection-scan.sh
|
|
scripts/prompt-injection-scan.sh --diff "origin/$BASE_REF"
|
|
|
|
- name: Base64 obfuscation scan
|
|
env:
|
|
BASE_REF: ${{ github.base_ref }}
|
|
run: |
|
|
chmod +x scripts/base64-scan.sh
|
|
scripts/base64-scan.sh --diff "origin/$BASE_REF"
|
|
|
|
- name: Secret scan
|
|
env:
|
|
BASE_REF: ${{ github.base_ref }}
|
|
run: |
|
|
chmod +x scripts/secret-scan.sh
|
|
scripts/secret-scan.sh --diff "origin/$BASE_REF"
|
|
|
|
- name: Planning directory check
|
|
env:
|
|
BASE_REF: ${{ github.base_ref }}
|
|
run: |
|
|
# Ensure .planning/ runtime data is not committed in PRs
|
|
# (The GSD repo itself has .planning/ in .gitignore, but PRs
|
|
# from forks or misconfigured clones might include it)
|
|
PLANNING_FILES=$(git diff --name-only --diff-filter=ACMR "origin/$BASE_REF"...HEAD | grep '^\.planning/' || true)
|
|
if [ -n "$PLANNING_FILES" ]; then
|
|
echo "FAIL: .planning/ runtime data must not be committed to PRs"
|
|
echo "The following .planning/ files were found in this PR:"
|
|
echo "$PLANNING_FILES"
|
|
echo ""
|
|
echo "Add .planning/ to your .gitignore and remove these files from the commit."
|
|
exit 1
|
|
fi
|
|
echo "planning-dir-check: clean"
|