diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml new file mode 100644 index 0000000..cccf358 --- /dev/null +++ b/.gitea/workflows/lint.yml @@ -0,0 +1,82 @@ +name: Lint & Security + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + cppcheck: + name: C/C++ Static Analysis + runs-on: anvil + steps: + - uses: actions/checkout@v4 + + - name: Install cppcheck + run: | + sudo apt-get update + sudo apt-get install -y cppcheck + + - name: Run cppcheck + run: | + cppcheck --enable=warning,style,performance,portability \ + --suppress=missingIncludeSystem \ + --error-exitcode=1 \ + --inline-suppr \ + -I get-started/csi_recv_router/main \ + get-started/csi_recv_router/main/*.c + + flawfinder: + name: Security Flaw Analysis + runs-on: anvil + steps: + - uses: actions/checkout@v4 + + - name: Install flawfinder + run: | + pip install --user flawfinder + + - name: Run flawfinder + run: | + ~/.local/bin/flawfinder --minlevel=2 --error-level=4 \ + get-started/csi_recv_router/main/ + + gitleaks: + name: Secret Scanning + runs-on: anvil + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install gitleaks + run: | + GITLEAKS_VERSION="8.18.4" + curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ + | sudo tar -xz -C /usr/local/bin gitleaks + + - name: Run gitleaks + run: | + gitleaks detect --source . --verbose --redact + + shellcheck: + name: Shell Script Analysis + runs-on: anvil + steps: + - uses: actions/checkout@v4 + + - name: Install shellcheck + run: | + sudo apt-get update + sudo apt-get install -y shellcheck + + - name: Find and check shell scripts + run: | + SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true) + if [ -n "$SCRIPTS" ]; then + echo "Checking: $SCRIPTS" + echo "$SCRIPTS" | xargs shellcheck --severity=warning + else + echo "No shell scripts found, skipping" + fi