From 4ed5f2ccad68dd4a932c8a07949cdc9683600877 Mon Sep 17 00:00:00 2001 From: Alexander Grabowski Date: Tue, 12 Aug 2025 17:26:51 +0700 Subject: [PATCH] Update .gitea/workflows/security.yml --- .gitea/workflows/security.yml | 174 +++++++++++++++++++++++++++++++++- 1 file changed, 173 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml index bb7a455..61a8e2a 100644 --- a/.gitea/workflows/security.yml +++ b/.gitea/workflows/security.yml @@ -218,4 +218,176 @@ jobs: The following packages have updates available: EOF - jq -r '.[] | "- **\(.name)**: \(.version) โ†’ + jq -r '.[] | "- **\(.name)**: \(.version) โ†’ \(.latest_version)"' outdated-packages.json >> issue-body.md + cat >> issue-body.md << 'EOF' + +## ๐Ÿ” Security Impact + +Please review each update for: +- Security fixes +- Breaking changes +- Compatibility issues + +## โœ… Action Items + +- [ ] Review changelog for each package +- [ ] Test updates in development environment +- [ ] Update requirements.txt +- [ ] Run full test suite +- [ ] Deploy to staging for validation + +--- +*This issue was automatically created by the security workflow.* +EOF + echo "Issue body created. In a real implementation, you would create a Gitea issue here." + cat issue-body.md + fi + + - name: Upload dependency reports + uses: actions/upload-artifact@v3 + with: + name: dependency-reports-${{ github.run_number }} + path: | + outdated-packages.json + issue-body.md + + # Code quality metrics + code-quality: + name: Code Quality Metrics + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + token: ${{ secrets.CI_BOT_TOKEN }} + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Install quality tools + run: | + python -m pip install --upgrade pip --root-user-action=ignore + pip install --root-user-action=ignore radon xenon vulture + if [ -f requirements.txt ]; then + pip install --root-user-action=ignore -r requirements.txt + fi + + - name: Calculate code complexity + run: | + echo "๐Ÿ“Š Calculating code complexity..." + if [ -d src ]; then + radon cc src/ --json > complexity-report.json + radon mi src/ --json > maintainability-report.json + echo "๐Ÿ” Complexity Summary:" + radon cc src/ --average + echo "๐Ÿ”ง Maintainability Summary:" + radon mi src/ + else + echo "{}" > complexity-report.json + echo "{}" > maintainability-report.json + echo "No src/ directory found; skipping detailed radon output." + fi + + - name: Find dead code + run: | + echo "๐Ÿงน Checking for dead code..." + if [ -d src ]; then + vulture src/ --json > dead-code-report.json || true + else + echo "[]" > dead-code-report.json + fi + + - name: Check for code smells + run: | + echo "๐Ÿ‘ƒ Checking for code smells..." + if [ -d src ]; then + xenon --max-absolute B --max-modules A --max-average A src/ || true + else + echo "No src/ directory found; skipping xenon." + fi + + - name: Upload quality reports + uses: actions/upload-artifact@v3 + with: + name: code-quality-reports-${{ github.run_number }} + path: | + complexity-report.json + maintainability-report.json + dead-code-report.json + + # Security summary + security-summary: + name: Security Summary + runs-on: ubuntu-latest + needs: [dependency-scan, license-check, code-quality] + if: always() + + steps: + - name: Install jq (for parsing JSON) + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Download all artifacts + uses: actions/download-artifact@v3 + + - name: Generate security summary + run: | + echo "# ๐Ÿ”’ Security Scan Summary" > security-summary.md + echo "" >> security-summary.md + echo "**Scan Date:** $(date -u)" >> security-summary.md + echo "**Repository:** ${{ github.repository }}" >> security-summary.md + echo "**Commit:** ${{ github.sha }}" >> security-summary.md + echo "" >> security-summary.md + + echo "## ๐Ÿ“Š Results" >> security-summary.md + echo "" >> security-summary.md + + # Dependency scan results (support array/object formats) + if ls security-reports-*/safety-report.json >/dev/null 2>&1; then + vuln_count=$(jq -s ' + def countfile: + if type=="array" then length + else ((.vulnerabilities // []) | length) + end; + add | (if type=="number" then . else 0 end) + ' security-reports-*/safety-report.json 2>/dev/null || echo "0") + if [ "${vuln_count:-0}" -eq 0 ]; then + echo "- โœ… **Dependency Scan**: No vulnerabilities found" >> security-summary.md + else + echo "- โš ๏ธ **Dependency Scan**: ${vuln_count} vulnerabilities found" >> security-summary.md + fi + else + echo "- โ“ **Dependency Scan**: Results not available" >> security-summary.md + fi + + # Docker scan results (Trivy removed) + echo "- โญ๏ธ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md + + # License check results + if ls license-report-*/licenses.json >/dev/null 2>&1; then + echo "- โœ… **License Check**: Completed" >> security-summary.md + else + echo "- โ“ **License Check**: Results not available" >> security-summary.md + fi + + # Code quality results + if ls code-quality-reports-*/complexity-report.json >/dev/null 2>&1; then + echo "- โœ… **Code Quality**: Analyzed" >> security-summary.md + else + echo "- โ“ **Code Quality**: Results not available" >> security-summary.md + fi + + echo "" >> security-summary.md + echo "## ๐Ÿ”— Detailed Reports" >> security-summary.md + echo "" >> security-summary.md + echo "Detailed reports are available in the workflow artifacts." >> security-summary.md + + cat security-summary.md + + - name: Upload security summary + uses: actions/upload-artifact@v3 + with: + name: security-summary-${{ github.run_number }} + path: security-summary.md