name: Security Checks on: push: branches: [master] pull_request: branches: [master] jobs: dependency-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Audit Budget dependencies working-directory: services/budget run: | npm ci --production npm audit --audit-level=high - name: Audit Frontend dependencies working-directory: frontend-v2 run: | npm ci npm audit --audit-level=high || true # low-severity OK for now secret-scanning: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Check for secrets in tracked files run: | echo "Checking for tracked .env files..." if git ls-files | grep -E '\.env$' | grep -v '.env.example'; then echo "ERROR: .env files are tracked in git!" exit 1 fi echo "Checking for tracked .db files..." if git ls-files | grep -E '\.db$'; then echo "ERROR: .db files are tracked in git!" exit 1 fi echo "Checking for hardcoded secrets patterns..." if grep -rn 'password.*=.*["\x27][a-zA-Z0-9_-]\{8,\}["\x27]' \ --include='*.py' --include='*.js' --include='*.ts' \ gateway/ services/ frontend-v2/src/ \ | grep -v 'env\.\|environ\|process\.env\|\.get(\|config\.\|test\|example\|placeholder\|CHANGE_ME\|changeme' \ | grep -vi 'hash\|bcrypt\|comment\|error\|warning'; then echo "WARNING: Possible hardcoded secrets found (review above)" fi echo "Secret scan passed" dockerfile-lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Check Dockerfiles run as non-root run: | fail=0 for f in gateway/Dockerfile services/trips/Dockerfile services/fitness/Dockerfile.backend services/inventory/Dockerfile services/budget/Dockerfile frontend-v2/Dockerfile; do if [ -f "$f" ]; then if ! grep -q '^USER ' "$f"; then echo "ERROR: $f does not have a USER instruction (runs as root)" fail=1 fi if ! grep -q 'HEALTHCHECK' "$f"; then echo "WARNING: $f has no HEALTHCHECK" fi fi done exit $fail