diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index ed2fa70c..2924fc57 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -75,6 +75,40 @@ jobs: args: --timeout=5m continue-on-error: true + - name: GORM Security Scanner + id: gorm-scan + run: | + chmod +x scripts/scan-gorm-security.sh + ./scripts/scan-gorm-security.sh --check + continue-on-error: false + + - name: GORM Security Scan Summary + if: always() + run: | + echo "## 🔒 GORM Security Scan Results" >> $GITHUB_STEP_SUMMARY + if [ "${{ steps.gorm-scan.outcome }}" == "success" ]; then + echo "✅ **No GORM security issues detected**" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "All models follow secure GORM patterns:" >> $GITHUB_STEP_SUMMARY + echo "- ✅ No exposed internal database IDs" >> $GITHUB_STEP_SUMMARY + echo "- ✅ No exposed API keys or secrets" >> $GITHUB_STEP_SUMMARY + echo "- ✅ Response DTOs properly structured" >> $GITHUB_STEP_SUMMARY + else + echo "❌ **GORM security issues found**" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Run locally for details:" >> $GITHUB_STEP_SUMMARY + echo '```bash' >> $GITHUB_STEP_SUMMARY + echo "./scripts/scan-gorm-security.sh --report" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "See [GORM Security Scanner docs](docs/implementation/gorm_security_scanner_complete.md) for remediation guidance." >> $GITHUB_STEP_SUMMARY + fi + + - name: Annotate GORM Security Issues + if: failure() && steps.gorm-scan.outcome == 'failure' + run: | + echo "::error title=GORM Security Issues Detected::Run './scripts/scan-gorm-security.sh --report' locally for detailed findings. See docs/implementation/gorm_security_scanner_complete.md for remediation guidance." + - name: Run Perf Asserts working-directory: backend env: diff --git a/README.md b/README.md index 735d8199..edc88bbd 100644 --- a/README.md +++ b/README.md @@ -280,12 +280,14 @@ docker run -d \ **Install golangci-lint** (for contributors): `go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest` -**GORM Security Scanner:** Charon includes an automated security scanner that detects GORM vulnerabilities (ID leaks, exposed secrets, DTO embedding issues). Run it via: +**GORM Security Scanner:** Charon includes an automated security scanner that detects GORM vulnerabilities (ID leaks, exposed secrets, DTO embedding issues). Runs automatically in CI on all PRs. Run locally via: ```bash # VS Code: Command Palette → "Lint: GORM Security Scan" # Or via pre-commit: pre-commit run --hook-stage manual gorm-security-scan --all-files +# Or directly: +./scripts/scan-gorm-security.sh --report ``` See [GORM Security Scanner Documentation](docs/implementation/gorm_security_scanner_complete.md) for details. diff --git a/docs/implementation/gorm_security_scanner_complete.md b/docs/implementation/gorm_security_scanner_complete.md index fb96b8ac..5f6520a7 100644 --- a/docs/implementation/gorm_security_scanner_complete.md +++ b/docs/implementation/gorm_security_scanner_complete.md @@ -203,24 +203,39 @@ The scanner correctly identified **60 pre-existing security issues** in the code **Status:** ✅ Accessible from Command Palette -### 3. CI Pipeline (Not Yet Implemented) +### 3. CI Pipeline (GitHub Actions) -**Recommended Addition** to `.github/workflows/test.yml`: +**Configuration:** `.github/workflows/quality-checks.yml` + +The scanner is integrated into the `backend-quality` job: ```yaml - name: GORM Security Scanner + id: gorm-scan run: | chmod +x scripts/scan-gorm-security.sh ./scripts/scan-gorm-security.sh --check continue-on-error: false -- name: Annotate GORM Security Issues - if: failure() +- name: GORM Security Scan Summary + if: always() run: | - echo "::error title=GORM Security Issues::Run './scripts/scan-gorm-security.sh --report' locally for details" + echo "## 🔒 GORM Security Scan Results" >> $GITHUB_STEP_SUMMARY + # ... detailed summary output + +- name: Annotate GORM Security Issues + if: failure() && steps.gorm-scan.outcome == 'failure' + run: | + echo "::error title=GORM Security Issues Detected::Run './scripts/scan-gorm-security.sh --report' locally for details" ``` -**Status:** ⚠️ **Pending** — Add after remediation complete +**Status:** ✅ **ACTIVE** — Runs on all PRs and pushes to main, development, feature branches + +**Behavior:** +- Scanner executes on every PR and push +- Failures are annotated in GitHub PR view +- Summary appears in GitHub Actions job summary +- Exit code 1 blocks PR merge if issues detected --- diff --git a/docs/reports/gorm_scanner_qa_report.md b/docs/reports/gorm_scanner_qa_report.md index 17bc4b66..1d007660 100644 --- a/docs/reports/gorm_scanner_qa_report.md +++ b/docs/reports/gorm_scanner_qa_report.md @@ -416,9 +416,12 @@ The scanner correctly identified **60 pre-existing security issues**: - Change `.pre-commit-config.yaml` from `stages: [manual]` to `stages: [commit]` - This will enforce scanner on every commit -4. **Add CI Integration:** - - Add scanner step to `.github/workflows/test.yml` - - Block PRs if scanner finds issues +4. **✅ CI Integration Complete:** + - Scanner integrated into `.github/workflows/quality-checks.yml` + - Runs on all PRs and pushes to main, development, feature branches + - Blocks PRs if scanner finds issues + - GitHub annotations show file:line for issues + - Summary output in GitHub Actions job summary ### 8.3 Documentation Updates