92 lines
2.6 KiB
YAML
92 lines
2.6 KiB
YAML
name: Lint & Security
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
cppcheck:
|
|
name: C/C++ Static Analysis
|
|
runs-on: anvil
|
|
container:
|
|
image: docker.io/library/debian:bookworm-slim
|
|
steps:
|
|
- name: Install tools
|
|
run: |
|
|
apt-get update && apt-get install -y --no-install-recommends git cppcheck ca-certificates
|
|
|
|
- name: Checkout
|
|
run: |
|
|
git clone --depth=1 --branch=${{ github.ref_name }} \
|
|
https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
|
|
|
|
- name: Run cppcheck
|
|
run: |
|
|
cppcheck --enable=warning,style,performance,portability \
|
|
--suppress=missingIncludeSystem \
|
|
--error-exitcode=1 \
|
|
--inline-suppr \
|
|
-I get-started/csi_recv_router/main \
|
|
get-started/csi_recv_router/main/*.c
|
|
|
|
flawfinder:
|
|
name: Security Flaw Analysis
|
|
runs-on: anvil
|
|
container:
|
|
image: docker.io/library/python:3.12-slim
|
|
steps:
|
|
- name: Install tools
|
|
run: |
|
|
apt-get update && apt-get install -y --no-install-recommends git ca-certificates
|
|
pip install --no-cache-dir flawfinder
|
|
|
|
- name: Checkout
|
|
run: |
|
|
git clone --depth=1 --branch=${{ github.ref_name }} \
|
|
https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
|
|
|
|
- name: Run flawfinder
|
|
run: |
|
|
flawfinder --minlevel=2 --error-level=4 \
|
|
get-started/csi_recv_router/main/
|
|
|
|
gitleaks:
|
|
name: Secret Scanning
|
|
runs-on: anvil
|
|
container:
|
|
image: docker.io/zricethezav/gitleaks:latest
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
git clone --branch=${{ github.ref_name }} \
|
|
https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
|
|
|
|
- name: Run gitleaks
|
|
run: gitleaks detect --source . --verbose --redact
|
|
|
|
shellcheck:
|
|
name: Shell Script Analysis
|
|
runs-on: anvil
|
|
container:
|
|
image: docker.io/koalaman/shellcheck-alpine:stable
|
|
steps:
|
|
- name: Install git
|
|
run: apk add --no-cache git
|
|
|
|
- name: Checkout
|
|
run: |
|
|
git clone --depth=1 --branch=${{ github.ref_name }} \
|
|
https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
|
|
|
|
- name: Find and check shell scripts
|
|
run: |
|
|
SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true)
|
|
if [ -n "$SCRIPTS" ]; then
|
|
echo "Checking: $SCRIPTS"
|
|
echo "$SCRIPTS" | xargs shellcheck --severity=warning
|
|
else
|
|
echo "No shell scripts found, skipping"
|
|
fi
|