Skip to content
Security Monitoring

Security Monitoring #115

Sign in to view logs

Security Monitoring

Security Monitoring #115

Workflow file for this run

.github/workflows/security.yml at 4af3845
name: Security Monitoring
# Minimal permissions for security scanning
permissions:
contents: read # Read repository contents
actions: read # Read workflow details
security-events: write # Write security scan results (for CodeQL if added)
on:
schedule:
# Run daily security scans at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch:
# Allow manual triggering
push:
branches: [ main ]
paths:
- 'package*.json'
- '.github/workflows/security.yml'
jobs:
security-audit:
name: Comprehensive Security Audit
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18.x'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run npm audit (detailed)
run: |
echo "🔍 Running detailed npm audit..."
npm audit --audit-level=info || true
npm audit --json > audit-results.json || true
- name: Check for known vulnerabilities
run: |
echo "🛡️ Checking for known vulnerabilities..."
# Check if any high/critical vulnerabilities exist
if npm audit --audit-level=high --json | jq -e '.vulnerabilities | length > 0' > /dev/null 2>&1; then
echo "❌ High/Critical vulnerabilities found!"
npm audit --audit-level=high
exit 1
else
echo "✅ No high/critical vulnerabilities found"
fi
license-compliance:
name: License Compliance
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18.x'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Install license checker
run: npm install -g license-checker
- name: Check licenses
run: |
echo "📜 Checking dependency licenses..."
# Generate license report
license-checker --summary --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause;BSD-2-Clause;ISC;0BSD;CC0-1.0' || true
# Generate detailed license report
license-checker --json > licenses.json
echo "✅ License compliance check completed"
- name: Upload secret detection results
uses: actions/upload-artifact@v4
with:
name: secret-detection-report
path: trufflehog-results.json
retention-days: 90
secrets-scan:
name: Secrets Detection
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run TruffleHog secrets scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
extra_args: --debug --only-verified --no-update
continue-on-error: true
- name: Custom secrets patterns
run: |
echo "Scanning for government-specific sensitive patterns..."
# Government-specific patterns
patterns=(
"-----BEGIN (RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----"
"(aws_access_key_id|aws_secret_access_key)"
"AKIA[0-9A-Z]{16}"
"sk-[a-zA-Z0-9]{48}"
"(?i)(bearer\s+[a-z0-9\-._~+/]+)"
"(?i)(api[_-]?key|secret|password|token|credential)[\s]*[:=][\s]*['\"][^'\"]+['\"]"
)
found_issues=false
for pattern in "${patterns[@]}"; do
if grep -r -E "$pattern" --include="*.js" --include="*.ts" --include="*.json" --exclude-dir=node_modules --exclude-dir=.git . 2>/dev/null; then
echo "Potential secret found matching pattern: $pattern"
found_issues=true
fi
done
if [ "$found_issues" = true ]; then
echo "Potential secrets detected! Please review and remediate."
exit 1
else
echo "No obvious secrets detected"
fi
dependency-graph:
name: Dependency Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18.x'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Generate dependency tree
run: |
echo "🌳 Generating dependency analysis..."
# Create dependency tree
npm list --all --json > dependency-tree.json || true
# Check for outdated packages
npm outdated --json > outdated-packages.json || true
# Check for unused dependencies
npx depcheck --json > unused-dependencies.json || true
echo "📊 Dependency analysis completed"
- name: Upload code quality reports
uses: actions/upload-artifact@v4
with:
name: code-quality-report
path: |
eslint-results.json
security-analysis.json
retention-days: 90
government-security-review:
name: Government Security Review
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: FedRAMP considerations check
run: |
echo "🏛️ Reviewing FedRAMP and government security considerations..."
# Check for security documentation
security_files=("SECURITY.md" "CONTRIBUTING.md" ".github/workflows/security.yml")
for file in "${security_files[@]}"; do
if [[ ! -f "$file" ]]; then
echo "❌ Missing security file: $file"
exit 1
fi
done
# Check for proper .gitignore patterns
required_patterns=("*.key" "*.pem" "*.p12" "credentials.json" ".env")
for pattern in "${required_patterns[@]}"; do
if ! grep -q "$pattern" .gitignore; then
echo "⚠️ Consider adding '$pattern' to .gitignore for government security"
fi
done
echo "✅ Basic government security patterns validated"
- name: FISMA compliance indicators
run: |
echo "📋 Checking FISMA compliance indicators..."
# Check for audit logging capabilities
if grep -r -i "log\|audit" --include="*.js" --include="*.ts" src/ > /dev/null 2>&1; then
echo "✅ Logging capabilities present"
else
echo "⚠️ Consider adding audit logging for FISMA compliance"
fi
# Check for encryption-related code
if grep -r -i "encrypt\|tls\|ssl\|https" --include="*.js" --include="*.ts" src/ > /dev/null 2>&1; then
echo "✅ Encryption-related code found"
else
echo "⚠️ Ensure proper encryption is implemented"
fi
echo "📊 FISMA compliance review completed"
security-summary:
name: Security Summary Report
runs-on: ubuntu-latest
needs: [security-audit, license-compliance, secrets-scan, dependency-graph, government-security-review]
if: always()
steps:
- name: Generate security summary
run: |
echo "📋 SECURITY SUMMARY REPORT"
echo "========================="
echo ""
echo "🏛️ Government Security Assessment for USAi API Node.js Client"
echo ""
echo "Jobs Status:"
echo "- Security Audit: ${{ needs.security-audit.result }}"
echo "- License Compliance: ${{ needs.license-compliance.result }}"
echo "- Secrets Scan: ${{ needs.secrets-scan.result }}"
echo "- Dependency Analysis: ${{ needs.dependency-graph.result }}"
echo "- Government Security Review: ${{ needs.government-security-review.result }}"
echo ""
if [[ "${{ needs.security-audit.result }}" == "failure" ]] ||
[[ "${{ needs.secrets-scan.result }}" == "failure" ]] ||
[[ "${{ needs.government-security-review.result }}" == "failure" ]]; then
echo "🚨 SECURITY ISSUES DETECTED"
echo "Government agencies should review failed checks before use"
echo ""
echo "Recommended Actions:"
echo "1. Review failed security checks"
echo "2. Remediate any discovered vulnerabilities"
echo "3. Update dependencies if needed"
echo "4. Conduct additional security review"
echo "5. Follow agency-specific security protocols"
else
echo "✅ SECURITY CHECKS PASSED"
echo "Library appears to meet basic security requirements"
echo ""
echo "Government agencies should still:"
echo "1. Conduct agency-specific security review"
echo "2. Test with organization's security tools"
echo "3. Follow internal approval processes"
echo "4. Monitor for security updates"
fi