3f0017d1f1
主要改动: - 固定 Go 1.25.5 与 CI 校验并更新扫描流程 - 升级 quic-go、x/crypto、req 等依赖并通过 govulncheck - 强化 JWT 校验、TLS 配置与 xlsx 动态加载 - 新增审计豁免清单与校验脚本
61 lines
1.6 KiB
YAML
61 lines
1.6 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
schedule:
|
|
- cron: '0 3 * * 1'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
backend-security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version-file: backend/go.mod
|
|
check-latest: false
|
|
cache-dependency-path: backend/go.sum
|
|
- name: Verify Go version
|
|
run: |
|
|
go version | grep -q 'go1.25.5'
|
|
- name: Run govulncheck
|
|
working-directory: backend
|
|
run: |
|
|
go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
govulncheck ./...
|
|
- name: Run gosec
|
|
working-directory: backend
|
|
run: |
|
|
go install github.com/securego/gosec/v2/cmd/gosec@latest
|
|
gosec -severity high -confidence high ./...
|
|
|
|
frontend-security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
cache: 'pnpm'
|
|
cache-dependency-path: frontend/pnpm-lock.yaml
|
|
- name: Set up pnpm
|
|
uses: pnpm/action-setup@v2
|
|
- name: Install dependencies
|
|
working-directory: frontend
|
|
run: pnpm install --frozen-lockfile
|
|
- name: Run pnpm audit
|
|
working-directory: frontend
|
|
run: |
|
|
pnpm audit --prod --audit-level=high --json > audit.json || true
|
|
- name: Check audit exceptions
|
|
run: |
|
|
python tools/check_pnpm_audit_exceptions.py \
|
|
--audit frontend/audit.json \
|
|
--exceptions .github/audit-exceptions.yml
|