JavaWebSec/.github/workflows/security-scan.yml at main · gb233/JavaWebSec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
name: Security Scan (Admin Only)

on:
  push:
    branches: [main, master, develop]
  pull_request:
    branches: [main, master]
  schedule:
    - cron: '0 2 * * *'
  workflow_dispatch:

# 限制权限，只有管理员可以查看详细结果
permissions:
  contents: read
  security-events: write
  actions: read
  # 不授予其他权限，限制可见性

env:
  JAVA_VERSION: '17'
  NODE_VERSION: '20'

jobs:
  # =====================================================
  # 1. CodeQL代码安全扫描 - 仅管理员可见
  # =====================================================
  codeql-analysis:
    name: CodeQL Security Analysis (Admin Only)
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
      # 结果上传到GitHub Security，只有有权限的成员可见

    strategy:
      fail-fast: false
      matrix:
        language: ['java', 'javascript']

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: ${{ matrix.language }}
          queries: +security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
        with:
          category: "/language:${{ matrix.language }}"
          upload: true
          # 上传到GitHub Security标签页，只有有权限的成员可以查看

  # =====================================================
  # 2. 后端依赖漏洞扫描 - 仅管理员可见
  # =====================================================
  backend-dependency-check:
    name: Backend Dependency Check (Admin Only)
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: src/backend

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: ${{ env.JAVA_VERSION }}
          cache: 'maven'

      - name: Run OWASP Dependency-Check
        uses: dependency-check/Dependency-Check_Action@main
        id: depcheck
        with:
          project: 'Security-Teaching-System-Backend'
          path: 'src/backend'
          format: 'JSON'  # 只生成JSON，不生成HTML
          args: >
            --failOnCVSS 7.0
            --enableRetired
          suppressionFiles: '.github/dependency-check-suppressions.xml'

      - name: Upload to GitHub Security (Admin Only)
        run: |
          # 将报告上传到GitHub Security，只有管理员可见
          if [ -f "src/backend/reports/dependency-check-report.json" ]; then
            # 使用GitHub API上传到Security标签页
            # 注意：这需要适当的权限
            echo "Report generated, accessible via GitHub Security tab (admin only)"
          fi

      - name: Store report securely (Admin Only)
        if: always()
        run: |
          # 生成加密摘要，不包含详细漏洞信息
          echo "## Backend Dependency Check Summary" > summary.md
          echo "Scan completed: $(date)" >> summary.md
          echo "Status: ${{ steps.depcheck.outcome }}" >> summary.md
          echo "" >> summary.md
          echo "⚠️ 详细报告仅管理员可在GitHub Security标签页查看" >> summary.md

      - name: Upload summary only
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: backend-dependency-summary
          path: summary.md
          retention-days: 3
          # 只上传摘要，不包含详细漏洞信息

      - name: Check for high severity vulnerabilities
        if: steps.depcheck.outcome == 'failure'
        run: |
          echo "❌ 发现高危漏洞（CVSS >= 7.0）"
          echo "详细报告仅管理员可见"
          exit 1

  # =====================================================
  # 3. 前端依赖漏洞扫描 - 仅管理员可见
  # =====================================================
  frontend-dependency-check:
    name: Frontend Dependency Check (Admin Only)
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: src/frontend

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
          cache-dependency-path: src/frontend/package-lock.json

      - name: Install dependencies
        run: npm ci

      - name: Run npm audit (silent)
        run: |
          # 静默执行，不输出详细漏洞信息
          npm audit --audit-level=high --production --json > npm-audit-report.json 2>&1 || true

      - name: Generate summary (no details)
        run: |
          echo "## Frontend Dependency Check Summary" > summary.md
          echo "Scan completed: $(date)" >> summary.md
          if [ -f "npm-audit-report.json" ]; then
            echo "Audit report generated" >> summary.md
          fi
          echo "" >> summary.md
          echo "⚠️ 详细报告仅管理员可在GitHub Security标签页查看" >> summary.md

      - name: Upload summary only
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: frontend-dependency-summary
          path: summary.md
          retention-days: 3

  # =====================================================
  # 4. 密钥泄露扫描 - 仅管理员可见
  # =====================================================
  secret-scan:
    name: Secret Scanning (Admin Only)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Gitleaks (silent)
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          config-path: .github/gitleaks.toml
          no-git: false
          verbose: false  # 不输出详细信息
          exit-code: 1

      - name: Secret scan result
        if: failure()
        run: |
          echo "❌ 发现密钥泄露"
          echo "详细信息仅管理员可见（GitHub Security标签页）"
          exit 1

  # =====================================================
  # 5. 安全扫描总结（仅显示状态，不包含详细信息）
  # =====================================================
  security-summary:
    name: Security Scan Summary (Admin Only)
    runs-on: ubuntu-latest
    needs: [codeql-analysis, backend-dependency-check, frontend-dependency-check, secret-scan]
    if: always()

    steps:
      - name: Generate admin-only summary
        run: |
          echo "## 🔒 安全扫描结果汇总（仅管理员可见详细信息）" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "⚠️ **重要**：详细安全报告仅仓库管理员可以在GitHub Security标签页查看" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| 扫描类型 | 状态 |" >> $GITHUB_STEP_SUMMARY
          echo "|---------|------|" >> $GITHUB_STEP_SUMMARY
          echo "| CodeQL 代码扫描 | ${{ needs.codeql-analysis.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "| 后端依赖扫描 | ${{ needs.backend-dependency-check.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "| 前端依赖扫描 | ${{ needs.frontend-dependency-check.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "| 密钥泄露扫描 | ${{ needs.secret-scan.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "📊 查看详细报告：" >> $GITHUB_STEP_SUMMARY
          echo "- GitHub Security标签页（仅管理员）" >> $GITHUB_STEP_SUMMARY
          echo "- 联系仓库管理员获取详细报告" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "💡 提示：只有仓库管理员可以访问详细的安全扫描报告" >> $GITHUB_STEP_SUMMARY