mirror of
https://github.com/shuaiplus/nodewarden.git
synced 2026-06-20 13:00:39 +00:00
refactor: simplify security scan reporting workflow
This commit is contained in:
shuaiplus
@@ -23,8 +23,8 @@ class SecurityReport {
|
|||||||
|
|
||||||
this.locales = {
|
this.locales = {
|
||||||
zh: {
|
zh: {
|
||||||
filename: 'README_CN.md',
|
filename: 'security-report-cn.md',
|
||||||
switcher: '[English](README.md) | 中文',
|
switcher: '[English](security-report.md) | 中文',
|
||||||
title: '🛡️ 安全审计与透明度报告',
|
title: '🛡️ 安全审计与透明度报告',
|
||||||
grade: '安全评级',
|
grade: '安全评级',
|
||||||
important: '> [!IMPORTANT]\n> 本报告由 **GitHub Actions** 自动生成。为确保数据主权的绝对透明度,所有核心模块的安全扫描结果均实时公开。',
|
important: '> [!IMPORTANT]\n> 本报告由 **GitHub Actions** 自动生成。为确保数据主权的绝对透明度,所有核心模块的安全扫描结果均实时公开。',
|
||||||
@@ -75,8 +75,8 @@ class SecurityReport {
|
|||||||
trivySafe: '✅ **安全**:未发现容器配置缺陷。'
|
trivySafe: '✅ **安全**:未发现容器配置缺陷。'
|
||||||
},
|
},
|
||||||
en: {
|
en: {
|
||||||
filename: 'README.md',
|
filename: 'security-report.md',
|
||||||
switcher: 'English | [中文](README_CN.md)',
|
switcher: 'English | [中文](security-report-cn.md)',
|
||||||
title: '🛡️ Security Audit & Transparency Report',
|
title: '🛡️ Security Audit & Transparency Report',
|
||||||
grade: 'Security Grade',
|
grade: 'Security Grade',
|
||||||
important: '> [!IMPORTANT]\n> This report is automatically generated by **GitHub Actions**. To ensure absolute transparency of data sovereignty, all core module security scan results are made public in real-time.',
|
important: '> [!IMPORTANT]\n> This report is automatically generated by **GitHub Actions**. To ensure absolute transparency of data sovereignty, all core module security scan results are made public in real-time.',
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ jobs:
|
|||||||
scan:
|
scan:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: read
|
||||||
security-events: write
|
security-events: write
|
||||||
actions: read
|
actions: read
|
||||||
env:
|
env:
|
||||||
@@ -103,17 +103,15 @@ jobs:
|
|||||||
trivy config . --format json --output trivy_result.json --severity CRITICAL,HIGH || true
|
trivy config . --format json --output trivy_result.json --severity CRITICAL,HIGH || true
|
||||||
|
|
||||||
- name: Generate Security Report
|
- name: Generate Security Report
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
run: |
|
||||||
# Gitleaks typically produces results.sarif if configured or by default in some versions
|
# Gitleaks typically produces results.sarif if configured or by default in some versions
|
||||||
# We'll ensure it exists for our reporter
|
# We'll ensure it exists for our reporter
|
||||||
node .github/scripts/security.cjs
|
node .github/scripts/security.cjs
|
||||||
|
|
||||||
# Also append to step summary for immediate visibility in GHA UI
|
# Also append to step summary for immediate visibility in GHA UI
|
||||||
cat README.md >> $GITHUB_STEP_SUMMARY
|
cat security-report.md >> $GITHUB_STEP_SUMMARY
|
||||||
echo -e "\n---\n" >> $GITHUB_STEP_SUMMARY
|
echo -e "\n---\n" >> $GITHUB_STEP_SUMMARY
|
||||||
cat README_CN.md >> $GITHUB_STEP_SUMMARY
|
cat security-report-cn.md >> $GITHUB_STEP_SUMMARY
|
||||||
|
|
||||||
- name: Upload Gitleaks Results to GitHub Security
|
- name: Upload Gitleaks Results to GitHub Security
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
@@ -122,30 +120,17 @@ jobs:
|
|||||||
sarif_file: results.sarif
|
sarif_file: results.sarif
|
||||||
category: gitleaks
|
category: gitleaks
|
||||||
|
|
||||||
- name: Push to Audit Branch
|
- name: Upload Security Report Artifacts
|
||||||
if: github.event_name != 'pull_request'
|
if: always()
|
||||||
run: |
|
uses: actions/upload-artifact@v4
|
||||||
mkdir audit_temp
|
with:
|
||||||
cp README.md audit_temp/
|
name: security-report
|
||||||
cp README_CN.md audit_temp/
|
if-no-files-found: ignore
|
||||||
[ -f "snyk_result.txt" ] && cp snyk_result.txt audit_temp/
|
path: |
|
||||||
[ -f "snyk_result.json" ] && cp snyk_result.json audit_temp/
|
security-report.md
|
||||||
|
security-report-cn.md
|
||||||
# Collect all SARIF files with descriptive names
|
snyk_result.txt
|
||||||
[ -f "results.sarif" ] && cp results.sarif audit_temp/Gitleaks_results.sarif
|
snyk_result.json
|
||||||
if [ -d "sarif-results" ]; then
|
trivy_result.json
|
||||||
for f in sarif-results/*.sarif; do
|
results.sarif
|
||||||
[ -f "$f" ] && cp "$f" "audit_temp/CodeQL_$(basename "$f")"
|
sarif-results/*.sarif
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
cd audit_temp
|
|
||||||
git init
|
|
||||||
git config --local user.email "action@github.com"
|
|
||||||
git config --local user.name "GitHub Action"
|
|
||||||
git checkout --orphan security-audit
|
|
||||||
|
|
||||||
git add .
|
|
||||||
git commit -m "chore: archive security report and raw data [skip ci]"
|
|
||||||
git remote add origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}
|
|
||||||
git push -f origin security-audit
|
|
||||||
|
|||||||
Reference in New Issue
Block a user