name: Lint & Security on: push: branches: [main] pull_request: branches: [main] jobs: cppcheck: name: C/C++ Static Analysis runs-on: anvil steps: - name: Checkout run: | git clone --depth=1 --branch=${{ github.ref_name }} \ ${{ github.server_url }}/${{ github.repository }}.git . - name: Install cppcheck run: | sudo apt-get update sudo apt-get install -y cppcheck - name: Run cppcheck run: | cppcheck --enable=warning,style,performance,portability \ --suppress=missingIncludeSystem \ --error-exitcode=1 \ --inline-suppr \ -I get-started/csi_recv_router/main \ get-started/csi_recv_router/main/*.c flawfinder: name: Security Flaw Analysis runs-on: anvil steps: - name: Checkout run: | git clone --depth=1 --branch=${{ github.ref_name }} \ ${{ github.server_url }}/${{ github.repository }}.git . - name: Install flawfinder run: | pip install --user flawfinder - name: Run flawfinder run: | ~/.local/bin/flawfinder --minlevel=2 --error-level=4 \ get-started/csi_recv_router/main/ gitleaks: name: Secret Scanning runs-on: anvil steps: - name: Checkout run: | git clone --branch=${{ github.ref_name }} \ ${{ github.server_url }}/${{ github.repository }}.git . - name: Install gitleaks run: | GITLEAKS_VERSION="8.18.4" curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ | sudo tar -xz -C /usr/local/bin gitleaks - name: Run gitleaks run: | gitleaks detect --source . --verbose --redact shellcheck: name: Shell Script Analysis runs-on: anvil steps: - name: Checkout run: | git clone --depth=1 --branch=${{ github.ref_name }} \ ${{ github.server_url }}/${{ github.repository }}.git . - name: Install shellcheck run: | sudo apt-get update sudo apt-get install -y shellcheck - name: Find and check shell scripts run: | SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true) if [ -n "$SCRIPTS" ]; then echo "Checking: $SCRIPTS" echo "$SCRIPTS" | xargs shellcheck --severity=warning else echo "No shell scripts found, skipping" fi