name: Lint & Security on: push: branches: [main] pull_request: branches: [main] jobs: cppcheck: name: C/C++ Static Analysis runs-on: anvil steps: - name: Checkout run: | git clone --depth=1 --branch=${{ github.ref_name }} \ https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git . - name: Run cppcheck run: | cppcheck --enable=warning,style,performance,portability \ --suppress=missingIncludeSystem \ --error-exitcode=1 \ --inline-suppr \ -I get-started/csi_recv_router/main \ get-started/csi_recv_router/main/*.c flawfinder: name: Security Flaw Analysis runs-on: anvil steps: - name: Checkout run: | git clone --depth=1 --branch=${{ github.ref_name }} \ https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git . - name: Install flawfinder run: pip install --user flawfinder - name: Run flawfinder run: | ~/.local/bin/flawfinder --minlevel=2 --error-level=4 \ get-started/csi_recv_router/main/ gitleaks: name: Secret Scanning runs-on: anvil steps: - name: Checkout run: | git clone --branch=${{ github.ref_name }} \ https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git . - name: Run gitleaks run: gitleaks detect --source . --verbose --redact shellcheck: name: Shell Script Analysis runs-on: anvil steps: - name: Checkout run: | git clone --depth=1 --branch=${{ github.ref_name }} \ https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git . - name: Find and check shell scripts run: | SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true) if [ -n "$SCRIPTS" ]; then echo "Checking: $SCRIPTS" echo "$SCRIPTS" | xargs shellcheck --severity=warning else echo "No shell scripts found, skipping" fi