Skip to content

🔧 Merge & Resolve: Zayed‑Shield Stability Integration (#11) #6983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
asrar-mared wants to merge 1 commit into from
Closed

🔧 Merge & Resolve: Zayed‑Shield Stability Integration (#11) #6983

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
70 changes: 70 additions & 0 deletions .anti_tamper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
#!/bin/bash

TAMPER_LOG=".tamper_log"
CRITICAL_FILES=(
"scripts/core/setup_security_lab.sh"
"PROTECTION_LICENSE"
".protection_key"
"decrypt_vault.sh"
)

# Function to check critical files
check_critical_files() {
for file in "${CRITICAL_FILES[@]}"; do
if [[ ! -f "$file" ]]; then
echo "🚨 ملف حرج مفقود: $file" >> "$TAMPER_LOG"
echo "⚠️ تحذير: ملف حرج مفقود - $file"

# Send alert
echo "تم حذف ملف حرج من مشروع المارد الرقمي: $file" | \
mail -s "تنبيه أمني عاجل" security@digital-genie-project.com 2>/dev/null || true
fi
done
}

# Function to check unauthorized access
check_unauthorized_access() {
local suspicious_patterns=(
"rm -rf"
"chmod 777"
"wget.*malware"
"curl.*backdoor"
"nc -l"
)

# Check command history for suspicious activity
if [[ -f ~/.bash_history ]]; then
for pattern in "${suspicious_patterns[@]}"; do
if grep -q "$pattern" ~/.bash_history 2>/dev/null; then
echo "🚨 نشاط مشبوه في التاريخ: $pattern" >> "$TAMPER_LOG"
echo "⚠️ تحذير: تم رصد نشاط مشبوه"
fi
done
fi
}

# Function to monitor system resources
monitor_resources() {
local cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)
local memory_usage=$(free | grep Mem | awk '{printf "%.0f", $3/$2 * 100.0}')

# Alert if resources are unusually high
if (( $(echo "$cpu_usage > 80" | bc -l) )); then
echo "🚨 استخدام CPU مرتفع: $cpu_usage%" >> "$TAMPER_LOG"
fi

if (( memory_usage > 90 )); then
echo "🚨 استخدام الذاكرة مرتفع: $memory_usage%" >> "$TAMPER_LOG"
fi
}

# Main monitoring loop
while true; do
check_critical_files
check_unauthorized_access
monitor_resources
sleep 300 # Check every 5 minutes
done &

echo $! > .anti_tamper_pid
echo "✅ تم تفعيل نظام منع التلاعب"
266 changes: 266 additions & 0 deletions .github/workflows/auto-remediation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,266 @@
name: 🛡️ Universal Security Remediation Engine

on:
# تشغيل يومي
schedule:
- cron: '0 2 * * *' # كل يوم الساعة 2 صباحاً UTC
# تشغيل يدوي من الـ Actions Tab
workflow_dispatch:
# تشغيل عند كل push إلى main
push:
branches:
- main
- develop
paths:
- 'package.json'
- 'requirements.txt'
- 'pom.xml'
- 'composer.json'
- 'Cargo.toml'

jobs:
security-remediation:
runs-on: ubuntu-latest
name: 🛡️ Auto Security Fix
permissions:
contents: write
pull-requests: write
security-events: write
steps:
# ============================================================
# الخطوة 1: سحب الكود
# ============================================================
- name: 📥 Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
# ============================================================
# الخطوة 2: إعداد البيئة
# ============================================================
- name: 🔧 Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
- name: 🔧 Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: 🔧 Setup Java
uses: actions/setup-java@v4
with:
distribution: 'adopt'
java-version: '17'
- name: 🔧 Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.2'
- name: 🔧 Setup Rust
uses: dtolnay/rust-toolchain@stable
# ============================================================
# الخطوة 3: تنفيذ المحركات
# ============================================================
- name: 📋 Clone Remediation Engine Repository
run: |
# يمكن استبدال هذا برابط المشروع الحقيقي
git clone https://github.com/yourusername/universal-security-remediation-engine.git engine || true
if [ ! -d "engine" ]; then
mkdir -p engine/engines
mkdir -p engine/reports
# نسخ المحركات من المشروع الحالي إذا كانت موجودة
cp -r engines/* engine/engines/ 2>/dev/null || true
fi
- name: 🛡️ Run NPM Remediation
if: hashFiles('package.json') != ''
continue-on-error: true
run: |
chmod +x engine/engines/*.sh
engine/engines/npm-engine.sh . || true
- name: 🛡️ Run PIP Remediation
if: hashFiles('requirements.txt') != ''
continue-on-error: true
run: |
chmod +x engine/engines/*.sh
engine/engines/pip-engine.sh . || true
- name: 🛡️ Run Maven Remediation
if: hashFiles('pom.xml') != ''
continue-on-error: true
run: |
chmod +x engine/engines/*.sh
engine/engines/maven-engine.sh . || true
- name: 🛡️ Run Composer Remediation
if: hashFiles('composer.json') != ''
continue-on-error: true
run: |
chmod +x engine/engines/*.sh
engine/engines/composer-engine.sh . || true
- name: 🛡️ Run Cargo Remediation
if: hashFiles('Cargo.toml') != ''
continue-on-error: true
run: |
chmod +x engine/engines/*.sh
engine/engines/cargo-engine.sh . || true
# ============================================================
# الخطوة 4: جمع التقارير
# ============================================================
- name: 📊 Collect Reports
if: always()
run: |
mkdir -p security-reports
cp -r engine/reports/* security-reports/ 2>/dev/null || true
ls -la security-reports/
# ============================================================
# الخطوة 5: رفع التقارير
# ============================================================
- name: 📤 Upload Reports as Artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: security-remediation-reports
path: security-reports/
retention-days: 30
# ============================================================
# الخطوة 6: إنشاء PR تلقائي
# ============================================================
- name: 🔄 Create Pull Request
if: success()
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: |
🔐 security: auto-fix vulnerabilities
- Run universal-security-remediation-engine
- Auto-update vulnerable packages
- All 4 security phases passed
- Check reports in artifacts
branch: security/auto-remediation-${{ github.run_number }}
delete-branch: true
title: '🛡️ Security: Auto Remediation'
body: |
# 🛡️ Automated Security Remediation
This PR contains automatic security fixes from **Universal Security Remediation Engine**.
## 📊 What's Inside?
✅ All vulnerable packages have been scanned
✅ Automatic fixes applied where possible
✅ All 4 security phases completed
✅ JSON reports generated
## 📄 Reports
Check the artifacts for detailed security reports:
- `npm-report.json` - NPM packages analysis
- `pip-report.json` - Python packages analysis
- `maven-report.json` - Java packages analysis
- `composer-report.json` - PHP packages analysis
- `cargo-report.json` - Rust packages analysis
## 🔍 Next Steps
1. Review the reports attached
2. Run your tests to ensure compatibility
3. Merge if everything looks good
4. Celebrate! 🎉
---
*Created by [Universal Security Remediation Engine](https://github.com/yourusername/universal-security-remediation-engine)*
labels: |
security
automated
dependencies
reviewers: |
@dependabot
draft: false
# ============================================================
# الخطوة 7: إرسال تنبيهات
# ============================================================
- name: 💬 Send Slack Notification
if: always()
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
text: |
🛡️ Security Remediation Engine completed
Status: ${{ job.status }}
Run: ${{ github.run_number }}
webhook_url: ${{ secrets.SLACK_WEBHOOK }}
continue-on-error: true
- name: 📧 Send Email Notification
if: always()
uses: dawidd6/action-send-mail@v3
with:
server_address: ${{ secrets.EMAIL_SERVER }}
server_port: 465
username: ${{ secrets.EMAIL_USERNAME }}
password: ${{ secrets.EMAIL_PASSWORD }}
subject: '🛡️ Security Remediation Report - Run #${{ github.run_number }}'
to: ${{ secrets.EMAIL_RECIPIENT }}
from: 'security@yourdomain.com'
body: |
Security Remediation Engine has completed.
Status: ${{ job.status }}
Run: ${{ github.run_number }}
Repository: ${{ github.repository }}
Workflow: ${{ github.workflow }}
Check the PR or artifacts for detailed reports.
html_body: |
<h1>🛡️ Security Remediation Report</h1>
<p><strong>Status:</strong> ${{ job.status }}</p>
<p><strong>Run #:</strong> ${{ github.run_number }}</p>
<p><strong>Repository:</strong> ${{ github.repository }}</p>
<p>Check the PR or artifacts for detailed reports.</p>
continue-on-error: true

# ============================================================
# Job 2: اختبار التقارير
# ============================================================
validate-reports:
runs-on: ubuntu-latest
name: 📋 Validate Reports
needs: security-remediation
if: always()
steps:
- name: 📥 Checkout Code
uses: actions/checkout@v4
- name: 📥 Download Reports
uses: actions/download-artifact@v4
with:
name: security-remediation-reports
path: reports/
- name: 🔍 Validate JSON Reports run: |
echo "📄 Validating reports..."
for report in reports/*.json; do
if [ -f "$report" ]; then
echo "✅ Validating: $(basename $report)"
if jq empty "$report" 2>/dev/null; then
echo " ✅ Valid JSON"
else
echo " ❌ Invalid JSON"
exit 1
fi
fi
done
echo "✅ All reports are valid!"

- name: 📊 Generate Report Summary
if: always()
run: |
echo "# 🛡️ Security Reports Summary" > SECURITY_REPORT.md
echo "" >> SECURITY_REPORT.md
echo "Generated: $(date)" >> SECURITY_REPORT.md
echo "" >> SECURITY_REPORT.md
for report in reports/*.json; do
if [ -f "$report" ]; then
echo "## $(basename $report)" >> SECURITY_REPORT.md
echo "" >> SECURITY_REPORT.md
echo "\`\`\`json" >> SECURITY_REPORT.md
cat "$report" >> SECURITY_REPORT.md
echo "\`\`\`" >> SECURITY_REPORT.md
echo "" >> SECURITY_REPORT.md
fi
done
- name: 📤 Upload Summary
uses: actions/upload-artifact@v4
with:
name: security-report-summary
path: SECURITY_REPORT.md

# ============================================================
# Concurrency: تشغيل واحد في كل مرة
# ============================================================
concurrency:
group: security-remediation-${{ github.ref }}
cancel-in-progress: false
49 changes: 49 additions & 0 deletions .github/workflows/pr_cleanup_secure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Secure PR Cleanup & Branch Management

on:
pull_request:
types: [closed]
workflow_dispatch:

permissions:
contents: write
pull-requests: write

jobs:
cleanup:
name: Safe Branch Cleanup After PR Close
runs-on: ubuntu-latest

if: github.event.pull_request.merged == true

steps:
- name: Checkout Repository
uses: actions/checkout@v4

- name: Define Branch Variables
run: |
echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV

- name: Protect Critical Branches
run: |
if [[ "$HEAD_BRANCH" == "main" || "$HEAD_BRANCH" == "staging" ]]; then
echo "Protected branch detected. Skipping deletion."
exit 0
fi

- name: Delete Merged Head Branch Safely
run: |
git push origin --delete $HEAD_BRANCH || echo "Branch already deleted."

- name: Log Cleanup Activity
run: |
echo "[$(date)] Deleted merged branch: $HEAD_BRANCH" >> cleanup.log

- name: Commit Log (Optional)
run: |
git config user.name "github-actions"
git config user.email "actions@github.com"
git add cleanup.log || true
git commit -m "chore: log branch cleanup activity" || true
git push || true
Loading