chore: integrate GORM Security Scanner into CI pipeline and update documentation

2026-01-28 10:34:27 +00:00
parent 0854f94089
commit d9024545ee
4 changed files with 64 additions and 10 deletions
--- a/.github/workflows/quality-checks.yml
+++ b/.github/workflows/quality-checks.yml
@@ -75,6 +75,40 @@ jobs:
          args: --timeout=5m
        continue-on-error: true

+      - name: GORM Security Scanner
+        id: gorm-scan
+        run: |
+          chmod +x scripts/scan-gorm-security.sh
+          ./scripts/scan-gorm-security.sh --check
+        continue-on-error: false
+
+      - name: GORM Security Scan Summary
+        if: always()
+        run: |
+          echo "## 🔒 GORM Security Scan Results" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.gorm-scan.outcome }}" == "success" ]; then
+            echo "✅ **No GORM security issues detected**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "All models follow secure GORM patterns:" >> $GITHUB_STEP_SUMMARY
+            echo "- ✅ No exposed internal database IDs" >> $GITHUB_STEP_SUMMARY
+            echo "- ✅ No exposed API keys or secrets" >> $GITHUB_STEP_SUMMARY
+            echo "- ✅ Response DTOs properly structured" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ **GORM security issues found**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Run locally for details:" >> $GITHUB_STEP_SUMMARY
+            echo '```bash' >> $GITHUB_STEP_SUMMARY
+            echo "./scripts/scan-gorm-security.sh --report" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "See [GORM Security Scanner docs](docs/implementation/gorm_security_scanner_complete.md) for remediation guidance." >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Annotate GORM Security Issues
+        if: failure() && steps.gorm-scan.outcome == 'failure'
+        run: |
+          echo "::error title=GORM Security Issues Detected::Run './scripts/scan-gorm-security.sh --report' locally for detailed findings. See docs/implementation/gorm_security_scanner_complete.md for remediation guidance."
+
      - name: Run Perf Asserts
        working-directory: backend
        env: