Skip to content
Config Scan

feat: add network access and tools for external API integration #249

Sign in to view logs

feat: add network access and tools for external API integration

feat: add network access and tools for external API integration #249

Workflow file for this run

.github/workflows/scan.yml at b930574
name: Config Scan
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
jobs:
scan:
name: Scan PodSpecs
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
with:
cache: true
- name: Build nucleus-audit
run: cargo build -p nucleus-audit --release
- name: Scan example PodSpecs
run: |
set -uo pipefail
SCANNER=target/release/nucleus-audit
echo "::group::safe-pr-fixer.yaml"
$SCANNER scan --pod-spec examples/podspecs/safe-pr-fixer.yaml
echo "::endgroup::"
echo "::group::airgapped-review.yaml"
$SCANNER scan --pod-spec examples/podspecs/airgapped-review.yaml
echo "::endgroup::"
echo "::group::secure-codegen.yaml"
$SCANNER scan --pod-spec examples/podspecs/secure-codegen.yaml
echo "::endgroup::"
echo "::group::permissive-danger.yaml (expected FAIL)"
if $SCANNER scan --pod-spec examples/podspecs/permissive-danger.yaml; then
echo "::error::permissive-danger.yaml should fail the scan but passed"
exit 1
else
echo "Correctly failed — this PodSpec is intentionally insecure"
fi
echo "::endgroup::"
# Claude Code settings.json
echo "::group::safe-restrictive.json (Claude settings)"
$SCANNER scan --claude-settings examples/claude-settings/safe-restrictive.json
echo "::endgroup::"
echo "::group::permissive-danger.json (Claude settings, expected FAIL)"
if $SCANNER scan --claude-settings examples/claude-settings/permissive-danger.json; then
echo "::error::permissive-danger.json should fail the scan but passed"
exit 1
else
echo "Correctly failed — this Claude config is intentionally insecure"
fi
echo "::endgroup::"
# MCP configs
echo "::group::safe-local.json (MCP config)"
$SCANNER scan --mcp-config examples/mcp-configs/safe-local.json
echo "::endgroup::"
echo "::group::permissive-danger.json (MCP config, expected FAIL)"
if $SCANNER scan --mcp-config examples/mcp-configs/permissive-danger.json; then
echo "::error::permissive-danger.json should fail the scan but passed"
exit 1
else
echo "Correctly failed — this MCP config is intentionally insecure"
fi
echo "::endgroup::"
# Combined scan
echo "::group::Combined scan (all three formats)"
$SCANNER scan \
--pod-spec examples/podspecs/safe-pr-fixer.yaml \
--claude-settings examples/claude-settings/safe-restrictive.json \
--mcp-config examples/mcp-configs/safe-local.json
echo "::endgroup::"
- name: SARIF scan (all safe configs)
if: always()
run: |
target/release/nucleus-audit scan \
--pod-spec examples/podspecs/safe-pr-fixer.yaml \
--claude-settings examples/claude-settings/safe-restrictive.json \
--mcp-config examples/mcp-configs/safe-local.json \
--format sarif > nucleus-scan.sarif || true
- name: Upload SARIF to GitHub Code Scanning
if: always()
uses: github/codeql-action/upload-sarif@9792ccaef0455e446c567163589397e8c3ac2e0d # v3
with:
sarif_file: nucleus-scan.sarif
category: nucleus-audit
# Test the standalone scan action (downloads pre-built binary from releases)
scan-action:
name: Scan Action (integration)
runs-on: ubuntu-latest
# Only run on main — the action downloads from releases, so it needs a published version
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Scan safe PodSpec
# v1.0.8
uses: coproduct-opensource/nucleus/scan@fdf3eb5cd7debe5f8493122beb430fce2a9fe0d5
id: safe
with:
pod-spec: examples/podspecs/safe-pr-fixer.yaml
- name: Verify verdict
run: |
echo "Verdict: ${{ steps.safe.outputs.verdict }}"
if [ "${{ steps.safe.outputs.verdict }}" != "PASS" ]; then
echo "::error::Expected PASS verdict for safe-pr-fixer.yaml"
exit 1
fi