-
Notifications
You must be signed in to change notification settings - Fork 0
155 lines (131 loc) · 4.67 KB
/
Copy pathsecurity.yml
File metadata and controls
155 lines (131 loc) · 4.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Security Scan
on:
push:
branches: [ master, develop ]
pull_request:
branches: [ master ]
schedule:
# Weekly on Monday at 6:00 UTC
- cron: '0 6 * * 1'
permissions:
contents: read
jobs:
security:
name: Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.10"
- name: Cache pip dependencies
uses: actions/cache@v5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-security-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-security-
- name: Install security tools
run: |
python -m pip install --upgrade pip
pip install bandit safety
- name: Run Bandit (code security)
run: |
echo "=== Running Bandit Security Scan ==="
bandit \
-c .bandit.yml \
-r rdagent/ \
-f json \
-o bandit-report.json \
--exit-zero || true
# Show summary
bandit -c .bandit.yml -r rdagent/ -ll || true
- name: Upload Bandit report
uses: actions/upload-artifact@v7
if: always()
with:
name: bandit-security-report
path: bandit-report.json
retention-days: 30
- name: Check dependencies for vulnerabilities
run: |
echo "=== Checking Dependencies for Vulnerabilities ==="
safety check --json || {
echo "::warning::Some dependencies have known vulnerabilities"
echo "Please review and update dependencies."
exit 0 # Non-blocking
}
- name: Check for exposed secrets
run: |
echo "=== Scanning for Exposed Secrets ==="
# Check for common secret patterns
PATTERNS=(
"api_key\s*=\s*['\"][^'\"]+['\"]"
"secret\s*=\s*['\"][^'\"]+['\"]"
"password\s*=\s*['\"][^'\"]+['\"]"
"token\s*=\s*['\"][^'\"]+['\"]"
"PRIVATE.KEY"
"BEGIN RSA PRIVATE KEY"
)
FOUND_SECRETS=0
for pattern in "${PATTERNS[@]}"; do
if grep -rInE "$pattern" --include='*.py' --include='*.yml' --include='*.yaml' --include='*.json' . | \
grep -v '.git' | \
grep -v 'test/' | \
grep -v 'example' | \
grep -v '# ' | \
grep -v 'os.environ' | \
grep -v 'getenv' | \
grep -v 'argparse'; then
FOUND_SECRETS=1
fi
done
if [ $FOUND_SECRETS -eq 1 ]; then
echo "::error::Potential secrets exposure detected!"
echo "Please review the output above and remove any hardcoded credentials."
echo "Use environment variables or .env files instead."
exit 1
fi
echo "✓ No exposed secrets found"
- name: Verify closed-source files not committed
run: |
echo "=== Verifying No Closed-Source Assets Committed ==="
FOUND_CLOSED=0
# Exact directory prefixes that must never appear (use grep -F for literal matching)
EXACT_PREFIXES=(
"git_ignore_folder/"
"models/local/"
"prompts/local/"
"rdagent/scenarios/qlib/local/"
)
for prefix in "${EXACT_PREFIXES[@]}"; do
if git ls-files | grep -qF "$prefix"; then
echo "::error::Found closed-source asset: $prefix"
FOUND_CLOSED=1
fi
done
# results/ — allow README.md and .gitkeep but nothing else
if git ls-files | grep -F "results/" | grep -qvE "results/README\.md|results/\.gitkeep"; then
echo "::error::Found closed-source asset: results/ (non-documentation file)"
git ls-files | grep -F "results/" | grep -vE "results/README\.md|results/\.gitkeep"
FOUND_CLOSED=1
fi
# .env files — match only .env and .env.* exactly, not paths containing "env"
if git ls-files | grep -qE "(^|/)\.env($|\.)"; then
echo "::error::Found closed-source asset: .env file"
FOUND_CLOSED=1
fi
# Binary / data files that must never be committed
if git ls-files | grep -qE "\.(db|h5|parquet|log)$"; then
echo "::error::Found data/log file committed (*.db, *.h5, *.parquet, *.log)"
git ls-files | grep -E "\.(db|h5|parquet|log)$"
FOUND_CLOSED=1
fi
if [ $FOUND_CLOSED -eq 1 ]; then
echo "CRITICAL: Closed-source assets must not be committed to the repository!"
echo "Please remove them and add to .gitignore if needed."
exit 1
fi
echo "✓ No closed-source assets found"