name: Security on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 6 * * 1' permissions: contents: read security-events: write jobs: codeql: name: CodeQL Analysis runs-on: ubuntu-latest continue-on-error: true steps: - name: Checkout uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: python - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 secret-scan: name: Secret Scan runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: TruffleHog Secret Scan uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event.repository.default_branch }} extra_args: --only-verified hardcoded-secrets: name: Hardcoded Secret Detection runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Scan for hardcoded secrets run: | FOUND=0 echo "Checking for private keys in config files..." if grep -rn --include="*.json" --include="*.py" -E "(0x[a-fA-F0-9]{64}|-----BEGIN.*PRIVATE)" . | grep -v node_modules | grep -v "chainId\|genesisHash\|parentId\|currencyIdScale\|typeAlias\|signedExtensions"; then echo "::error::Possible private key found" FOUND=1 fi echo "Checking for hardcoded credentials..." if grep -rn --include="*.py" --include="*.json" -iE "(password|secret_key|api_key)\s*[:=]\s*['\"][^'\"]{8,}" . | grep -v node_modules; then echo "::error::Possible hardcoded credential found" FOUND=1 fi if [ "$FOUND" -eq 0 ]; then echo "No hardcoded secrets found." else exit 1 fi dependency-review: name: Dependency Review runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Checkout uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: high deny-licenses: GPL-3.0, AGPL-3.0