username/esp32-hacking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity

ci: Add security checks (secrets scan, config validation)

Browse Source
This commit is contained in:
user
2026-02-05 23:02:46 +01:00
parent 4da0679d4e
commit a84abf03ca
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
.gitea/workflows/lint.yml
View File

@@ -75,6 +75,31 @@ jobs:
echo "::warning::Firmware using $PERCENT% of partition" echo "::warning::Firmware using $PERCENT% of partition"
fi fi
- name: Security checks
run: |
BIN="get-started/csi_recv_router/build/csi_recv_router.bin"
CFG="get-started/csi_recv_router/sdkconfig"
echo "=== Checking for hardcoded secrets ==="
if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then
echo "::error::Potential hardcoded secret found in binary"
exit 1
fi
echo "No hardcoded secrets detected"
echo "=== Checking release configuration ==="
LOG_LEVEL=$(grep 'CONFIG_LOG_DEFAULT_LEVEL=' "$CFG" | cut -d= -f2)
if [ "$LOG_LEVEL" -gt 3 ]; then
echo "::warning::Debug/verbose logging enabled (level $LOG_LEVEL)"
else
echo "Log level OK ($LOG_LEVEL)"
fi
echo "=== Component size breakdown ==="
. /opt/esp/idf/export.sh
cd get-started/csi_recv_router
idf.py size-components 2>/dev/null | head -30
- name: Upload firmware artifact - name: Upload firmware artifact
run: | run: |
mkdir -p /tmp/artifacts mkdir -p /tmp/artifacts
@@ -108,6 +133,26 @@ jobs:
cd get-started/csi_recv_router cd get-started/csi_recv_router
idf.py build idf.py build
- name: Security checks
run: |
BIN="get-started/csi_recv_router/build/csi_recv_router.bin"
CFG="get-started/csi_recv_router/sdkconfig"
echo "=== Checking for hardcoded secrets ==="
if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then
echo "::error::Potential hardcoded secret found in binary"
exit 1
fi
echo "No hardcoded secrets detected"
echo "=== Checking release configuration ==="
LOG_LEVEL=$(grep 'CONFIG_LOG_DEFAULT_LEVEL=' "$CFG" | cut -d= -f2)
if [ "$LOG_LEVEL" -gt 3 ]; then
echo "::warning::Debug/verbose logging enabled (level $LOG_LEVEL)"
else
echo "Log level OK ($LOG_LEVEL)"
fi
- name: Validate version tag - name: Validate version tag
run: | run: |
TAG="${{ github.ref_name }}" TAG="${{ github.ref_name }}"