Security Scan (Admin Only) #25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan (Admin Only) | |
| on: | |
| push: | |
| branches: [main, master, develop] | |
| pull_request: | |
| branches: [main, master] | |
| schedule: | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| # 限制权限,只有管理员可以查看详细结果 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| # 不授予其他权限,限制可见性 | |
| env: | |
| JAVA_VERSION: '17' | |
| NODE_VERSION: '20' | |
| jobs: | |
| # ===================================================== | |
| # 1. CodeQL代码安全扫描 - 仅管理员可见 | |
| # ===================================================== | |
| codeql-analysis: | |
| name: CodeQL Security Analysis (Admin Only) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| # 结果上传到GitHub Security,只有有权限的成员可见 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ['java', 'javascript'] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: +security-and-quality | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v2 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| upload: true | |
| # 上传到GitHub Security标签页,只有有权限的成员可以查看 | |
| # ===================================================== | |
| # 2. 后端依赖漏洞扫描 - 仅管理员可见 | |
| # ===================================================== | |
| backend-dependency-check: | |
| name: Backend Dependency Check (Admin Only) | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: src/backend | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: ${{ env.JAVA_VERSION }} | |
| cache: 'maven' | |
| - name: Run OWASP Dependency-Check | |
| uses: dependency-check/Dependency-Check_Action@main | |
| id: depcheck | |
| with: | |
| project: 'Security-Teaching-System-Backend' | |
| path: 'src/backend' | |
| format: 'JSON' # 只生成JSON,不生成HTML | |
| args: > | |
| --failOnCVSS 7.0 | |
| --enableRetired | |
| suppressionFiles: '.github/dependency-check-suppressions.xml' | |
| - name: Upload to GitHub Security (Admin Only) | |
| run: | | |
| # 将报告上传到GitHub Security,只有管理员可见 | |
| if [ -f "src/backend/reports/dependency-check-report.json" ]; then | |
| # 使用GitHub API上传到Security标签页 | |
| # 注意:这需要适当的权限 | |
| echo "Report generated, accessible via GitHub Security tab (admin only)" | |
| fi | |
| - name: Store report securely (Admin Only) | |
| if: always() | |
| run: | | |
| # 生成加密摘要,不包含详细漏洞信息 | |
| echo "## Backend Dependency Check Summary" > summary.md | |
| echo "Scan completed: $(date)" >> summary.md | |
| echo "Status: ${{ steps.depcheck.outcome }}" >> summary.md | |
| echo "" >> summary.md | |
| echo "⚠️ 详细报告仅管理员可在GitHub Security标签页查看" >> summary.md | |
| - name: Upload summary only | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: backend-dependency-summary | |
| path: summary.md | |
| retention-days: 3 | |
| # 只上传摘要,不包含详细漏洞信息 | |
| - name: Check for high severity vulnerabilities | |
| if: steps.depcheck.outcome == 'failure' | |
| run: | | |
| echo "❌ 发现高危漏洞(CVSS >= 7.0)" | |
| echo "详细报告仅管理员可见" | |
| exit 1 | |
| # ===================================================== | |
| # 3. 前端依赖漏洞扫描 - 仅管理员可见 | |
| # ===================================================== | |
| frontend-dependency-check: | |
| name: Frontend Dependency Check (Admin Only) | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: src/frontend | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| cache-dependency-path: src/frontend/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run npm audit (silent) | |
| run: | | |
| # 静默执行,不输出详细漏洞信息 | |
| npm audit --audit-level=high --production --json > npm-audit-report.json 2>&1 || true | |
| - name: Generate summary (no details) | |
| run: | | |
| echo "## Frontend Dependency Check Summary" > summary.md | |
| echo "Scan completed: $(date)" >> summary.md | |
| if [ -f "npm-audit-report.json" ]; then | |
| echo "Audit report generated" >> summary.md | |
| fi | |
| echo "" >> summary.md | |
| echo "⚠️ 详细报告仅管理员可在GitHub Security标签页查看" >> summary.md | |
| - name: Upload summary only | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: frontend-dependency-summary | |
| path: summary.md | |
| retention-days: 3 | |
| # ===================================================== | |
| # 4. 密钥泄露扫描 - 仅管理员可见 | |
| # ===================================================== | |
| secret-scan: | |
| name: Secret Scanning (Admin Only) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks (silent) | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| config-path: .github/gitleaks.toml | |
| no-git: false | |
| verbose: false # 不输出详细信息 | |
| exit-code: 1 | |
| - name: Secret scan result | |
| if: failure() | |
| run: | | |
| echo "❌ 发现密钥泄露" | |
| echo "详细信息仅管理员可见(GitHub Security标签页)" | |
| exit 1 | |
| # ===================================================== | |
| # 5. 安全扫描总结(仅显示状态,不包含详细信息) | |
| # ===================================================== | |
| security-summary: | |
| name: Security Scan Summary (Admin Only) | |
| runs-on: ubuntu-latest | |
| needs: [codeql-analysis, backend-dependency-check, frontend-dependency-check, secret-scan] | |
| if: always() | |
| steps: | |
| - name: Generate admin-only summary | |
| run: | | |
| echo "## 🔒 安全扫描结果汇总(仅管理员可见详细信息)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "⚠️ **重要**:详细安全报告仅仓库管理员可以在GitHub Security标签页查看" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| 扫描类型 | 状态 |" >> $GITHUB_STEP_SUMMARY | |
| echo "|---------|------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| CodeQL 代码扫描 | ${{ needs.codeql-analysis.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| 后端依赖扫描 | ${{ needs.backend-dependency-check.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| 前端依赖扫描 | ${{ needs.frontend-dependency-check.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| 密钥泄露扫描 | ${{ needs.secret-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "📊 查看详细报告:" >> $GITHUB_STEP_SUMMARY | |
| echo "- GitHub Security标签页(仅管理员)" >> $GITHUB_STEP_SUMMARY | |
| echo "- 联系仓库管理员获取详细报告" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "💡 提示:只有仓库管理员可以访问详细的安全扫描报告" >> $GITHUB_STEP_SUMMARY | |