docs(contributors): add m2228 as a contributor for bug (#204) #435
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, master ] | |
| pull_request: | |
| branches: [ main, master ] | |
| schedule: | |
| # Run weekly on Sundays at 3:00 AM UTC | |
| - cron: '0 3 * * 0' | |
| jobs: | |
| luacheck: | |
| name: Luacheck Security Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup Lua | |
| uses: leafo/gh-actions-lua@v12 | |
| with: | |
| luaVersion: "5.1" | |
| - name: Setup LuaRocks | |
| uses: leafo/gh-actions-luarocks@v6 | |
| - name: Install Luacheck | |
| run: luarocks install luacheck | |
| - name: Run Luacheck with security focus | |
| run: | | |
| luacheck lua/ --formatter plain --codes || true | |
| echo "Security patterns to review manually:" | |
| echo "- Command execution: os.execute, io.popen" | |
| echo "- File operations: io.open, io.write" | |
| echo "- Unsafe string operations: loadstring, dofile" | |
| grep -r "os\.execute\|io\.popen\|loadstring\|dofile\|load(" lua/ || echo "No obvious security patterns found" | |
| dependency-check: | |
| name: Dependency Security Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Check for known vulnerabilities | |
| run: | | |
| echo "Checking for common security issues in dependencies..." | |
| # Check if any external dependencies are used | |
| if [ -f "*.rockspec" ]; then | |
| echo "Rockspec found - review dependencies manually" | |
| cat *.rockspec | |
| else | |
| echo "No rockspec file found - minimal dependencies" | |
| fi | |
| secret-scanning: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Scan for secrets using gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| permissions-check: | |
| name: File Permissions Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Check for executable files | |
| run: | | |
| echo "Checking for unexpected executable files..." | |
| find . -type f -executable -not -path "./.git/*" -not -path "./spec/*" || true | |
| echo "Review any unexpected executable files above" | |
| - name: Check for sensitive file patterns | |
| run: | | |
| echo "Checking for sensitive patterns..." | |
| # Check for potential credentials or API keys | |
| grep -r -i "password\|api_key\|secret\|token" --exclude-dir=.git --exclude-dir=spec --exclude="*.md" . || echo "No sensitive patterns found" |