ci: Add security checks (secrets scan, config validation)

2026-02-05 23:02:46 +01:00
parent 4da0679d4e
commit a84abf03ca
1 changed files with 45 additions and 0 deletions
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -75,6 +75,31 @@ jobs:
            echo "::warning::Firmware using $PERCENT% of partition"
          fi

+      - name: Security checks
+        run: |
+          BIN="get-started/csi_recv_router/build/csi_recv_router.bin"
+          CFG="get-started/csi_recv_router/sdkconfig"
+
+          echo "=== Checking for hardcoded secrets ==="
+          if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then
+            echo "::error::Potential hardcoded secret found in binary"
+            exit 1
+          fi
+          echo "No hardcoded secrets detected"
+
+          echo "=== Checking release configuration ==="
+          LOG_LEVEL=$(grep 'CONFIG_LOG_DEFAULT_LEVEL=' "$CFG" | cut -d= -f2)
+          if [ "$LOG_LEVEL" -gt 3 ]; then
+            echo "::warning::Debug/verbose logging enabled (level $LOG_LEVEL)"
+          else
+            echo "Log level OK ($LOG_LEVEL)"
+          fi
+
+          echo "=== Component size breakdown ==="
+          . /opt/esp/idf/export.sh
+          cd get-started/csi_recv_router
+          idf.py size-components 2>/dev/null | head -30
+
      - name: Upload firmware artifact
        run: |
          mkdir -p /tmp/artifacts
@@ -108,6 +133,26 @@ jobs:
          cd get-started/csi_recv_router
          idf.py build

+      - name: Security checks
+        run: |
+          BIN="get-started/csi_recv_router/build/csi_recv_router.bin"
+          CFG="get-started/csi_recv_router/sdkconfig"
+
+          echo "=== Checking for hardcoded secrets ==="
+          if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then
+            echo "::error::Potential hardcoded secret found in binary"
+            exit 1
+          fi
+          echo "No hardcoded secrets detected"
+
+          echo "=== Checking release configuration ==="
+          LOG_LEVEL=$(grep 'CONFIG_LOG_DEFAULT_LEVEL=' "$CFG" | cut -d= -f2)
+          if [ "$LOG_LEVEL" -gt 3 ]; then
+            echo "::warning::Debug/verbose logging enabled (level $LOG_LEVEL)"
+          else
+            echo "Log level OK ($LOG_LEVEL)"
+          fi
+
      - name: Validate version tag
        run: |
          TAG="${{ github.ref_name }}"