creativity-maxxing/.github/workflows/security.yml at main · fidgetcoding/creativity-maxxing · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: Security Checks

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 9 * * 1' # Weekly Monday 9am UTC

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  shellcheck-strict:
    name: ShellCheck (error severity)
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run ShellCheck at error severity
        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
        with:
          scandir: '.'
          severity: error
          ignore_paths: node_modules

  secret-scan:
    name: Secret scanning
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
      - name: Scan for hardcoded secrets
        run: |
          # Fail if real-looking API keys are found in tracked files
          if git ls-files | xargs grep -lniE \
            "(sk-ant-api|ghp_[0-9A-Za-z]{36}|xoxb-[0-9A-Za-z-]+|AKIA[0-9A-Z]{16})" \
            2>/dev/null | grep -v ".git"; then
            echo "::error::Potential hardcoded secrets detected — see matches above"
            exit 1
          fi
          echo "No hardcoded secrets detected"