diff --git a/.github/workflows/_DEPRECATED/enhanced-release.yml b/.github/workflows/_DEPRECATED/enhanced-release.yml deleted file mode 100644 index 0003286..0000000 --- a/.github/workflows/_DEPRECATED/enhanced-release.yml +++ /dev/null @@ -1,218 +0,0 @@ -name: Enhanced Release Management - -# Immutable release practices -permissions: - contents: write - packages: read - -on: - push: - tags: - - 'v*.*.*' - workflow_dispatch: - inputs: - tag: - description: 'Tag to create enhanced release for' - required: true - type: string - -concurrency: - group: enhanced-release-${{ github.ref || github.event.inputs.tag }} - cancel-in-progress: true - -env: - CARGO_TERM_COLOR: always - -jobs: - enhance-release: - name: Enhance Release Description - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - with: - fetch-depth: 0 - - - name: Determine tag - id: tag - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT - else - echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi - - - name: Extract version info - id: version - run: | - TAG="${{ steps.tag.outputs.tag }}" - VERSION=${TAG#v} - echo "version=$VERSION" >> $GITHUB_OUTPUT - - # Determine release type - if [[ "$VERSION" == *"-alpha"* ]]; then - echo "type=alpha" >> $GITHUB_OUTPUT - echo "emoji=⚠️" >> $GITHUB_OUTPUT - elif [[ "$VERSION" == *"-beta"* ]]; then - echo "type=beta" >> $GITHUB_OUTPUT - echo "emoji=🚧" >> $GITHUB_OUTPUT - elif [[ "$VERSION" == *"-"* ]]; then - echo "type=prerelease" >> $GITHUB_OUTPUT - echo "emoji=🔬" >> $GITHUB_OUTPUT - elif [[ "$VERSION" == "0.1.0" ]]; then - echo "type=initial" >> $GITHUB_OUTPUT - echo "emoji=🎉" >> $GITHUB_OUTPUT - else - echo "type=stable" >> $GITHUB_OUTPUT - echo "emoji=" >> $GITHUB_OUTPUT - fi - - - name: Generate enhanced release notes - id: notes - run: | - TAG="${{ steps.tag.outputs.tag }}" - VERSION="${{ steps.version.outputs.version }}" - TYPE="${{ steps.version.outputs.type }}" - EMOJI="${{ steps.version.outputs.emoji }}" - - # Get existing release notes from release-please or git-cliff - EXISTING_NOTES="" - if gh release view "$TAG" --json body --jq .body >/dev/null 2>&1; then - EXISTING_NOTES=$(gh release view "$TAG" --json body --jq .body) - fi - - # Parse existing notes to extract sections - ADDED_SECTION="" - FIXED_SECTION="" - CHANGED_SECTION="" - PERFORMANCE_SECTION="" - DOCS_SECTION="" - MAINTENANCE_SECTION="" - - # Extract sections from existing notes (simplified parsing) - if [ -n "$EXISTING_NOTES" ]; then - # Look for common patterns in release-please generated notes - ADDED_SECTION=$(echo "$EXISTING_NOTES" | grep -A 10 -i "### .*[Aa]dded\|### .*[Ff]eatures\|### .*[Nn]ew" | grep "^- " || echo "") - FIXED_SECTION=$(echo "$EXISTING_NOTES" | grep -A 10 -i "### .*[Ff]ixed\|### .*[Bb]ug" | grep "^- " || echo "") - CHANGED_SECTION=$(echo "$EXISTING_NOTES" | grep -A 10 -i "### .*[Cc]hanged\|### .*[Mm]odified" | grep "^- " || echo "") - fi - - # Create enhanced release notes - cat > enhanced_notes.md << 'EOF' - ## Code Guardian v$VERSION $EMOJI - - EOF - - # Add type-specific sections - if [ "$TYPE" = "initial" ]; then - cat >> enhanced_notes.md << 'EOF' - ### 🚀 Initial Release - Welcome to Code Guardian - A powerful Rust-based code analysis and security scanning tool! - - ### ✨ Features - - Comprehensive code scanning and analysis capabilities - - Security vulnerability detection - - Modular architecture with multiple crates (CLI, Core, Output, Storage) - - Multiple output formats (JSON, HTML, Markdown, CSV, Text) - - High-performance scanning engine - - Extensible detector system - - ### 🛠️ Architecture - - **CLI**: Command-line interface for user interaction - - **Core**: Main scanning engine and detection logic - - **Output**: Multiple formatter support for results - - **Storage**: Data persistence and caching - - EOF - elif [ "$TYPE" = "alpha" ] || [ "$TYPE" = "beta" ] || [ "$TYPE" = "prerelease" ]; then - cat >> enhanced_notes.md << 'EOF' - ### ⚠️ Note - This is a $TYPE release for testing new features and improvements. Please report any issues you encounter. - -EOF - fi - - # Add content sections based on what we found - if [ -n "$ADDED_SECTION" ]; then - echo "### ✨ Added" >> enhanced_notes.md - echo "$ADDED_SECTION" >> enhanced_notes.md - echo "" >> enhanced_notes.md - fi - - if [ -n "$FIXED_SECTION" ]; then - echo "### 🐛 Fixed" >> enhanced_notes.md - echo "$FIXED_SECTION" >> enhanced_notes.md - echo "" >> enhanced_notes.md - fi - - if [ -n "$CHANGED_SECTION" ]; then - echo "### 🔄 Changed" >> enhanced_notes.md - echo "$CHANGED_SECTION" >> enhanced_notes.md - echo "" >> enhanced_notes.md - fi - - # Add standard sections - cat >> enhanced_notes.md << 'EOF' - ### 📦 Assets - - Pre-built binaries for Linux (x86_64), macOS (Intel & Apple Silicon), and Windows - - Full source code archives - - ### 🚀 Installation - \`\`\`bash - # Download and extract the appropriate binary for your platform - # Or install from source: - cargo install --git https://github.com/d-oit/code-guardian - \`\`\` - - ### 🔗 Links - - [Installation Guide](https://github.com/d-oit/code-guardian#installation) - - [Documentation](https://github.com/d-oit/code-guardian/tree/main/docs) - - [Changelog](https://github.com/d-oit/code-guardian/blob/main/CHANGELOG.md) - EOF - - # Add celebration for initial release - if [ "$TYPE" = "initial" ]; then - echo "" >> enhanced_notes.md - echo "Thank you for trying Code Guardian! 🛡️" >> enhanced_notes.md - fi - - # Store the notes for the next step - echo "ENHANCED_NOTES<> $GITHUB_ENV - cat enhanced_notes.md >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Update release description - run: | - TAG="${{ steps.tag.outputs.tag }}" - - # Check if release exists - if gh release view "$TAG" >/dev/null 2>&1; then - echo "Updating existing release $TAG..." - gh release edit "$TAG" --notes "$ENHANCED_NOTES" - else - echo "Release $TAG not found. Creating new release..." - # Determine if it's a prerelease - if [[ "${{ steps.version.outputs.type }}" == "alpha" ]] || [[ "${{ steps.version.outputs.type }}" == "beta" ]] || [[ "${{ steps.version.outputs.type }}" == "prerelease" ]]; then - gh release create "$TAG" --title "Code Guardian $TAG" --notes "$ENHANCED_NOTES" --prerelease - else - gh release create "$TAG" --title "Code Guardian $TAG" --notes "$ENHANCED_NOTES" - fi - fi - - echo "✅ Release description enhanced successfully!" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - trigger-build: - name: Trigger Release Build - needs: enhance-release - runs-on: ubuntu-latest - if: github.event_name == 'push' - steps: - - name: Trigger release build workflow - run: | - echo "Release description enhanced. Release build workflow should be triggered by the tag push." \ No newline at end of file diff --git a/.github/workflows/_DEPRECATED/release.yml b/.github/workflows/_DEPRECATED/release.yml deleted file mode 100644 index b1ed823..0000000 --- a/.github/workflows/_DEPRECATED/release.yml +++ /dev/null @@ -1,128 +0,0 @@ -name: Release Build - -# Least privilege permissions for immutable releases -permissions: - contents: write - packages: read - -on: - push: - tags: - - 'v*.*.*' - -# Immutable release practices -concurrency: - group: release-${{ github.ref }} - cancel-in-progress: false # Prevent release cancellation - -env: - CARGO_TERM_COLOR: always - -jobs: - create-release: - name: Create Release - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - with: - fetch-depth: 0 - - - name: Install git-cliff - run: cargo install git-cliff - - - name: Generate release notes - run: | - git cliff --tag ${{ github.ref_name }} --strip header > release_notes.md - CHANGELOG_CONTENT=$(cat release_notes.md) - # If no content found, use a default message - if [ -z "$CHANGELOG_CONTENT" ]; then - CHANGELOG_CONTENT="Release ${{ github.ref_name }}" - fi - echo "CHANGELOG_CONTENT<> $GITHUB_ENV - echo "$CHANGELOG_CONTENT" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - - - name: Create Release - run: | - # Check if release already exists - if gh release view "${{ github.ref_name }}" >/dev/null 2>&1; then - echo "Release ${{ github.ref_name }} already exists, updating description..." - gh release edit "${{ github.ref_name }}" --notes "$CHANGELOG_CONTENT" - else - echo "Creating new release ${{ github.ref_name }}..." - if [[ "${{ github.ref_name }}" == *"-"* ]]; then - gh release create ${{ github.ref_name }} \ - --title "Release ${{ github.ref_name }}" \ - --notes "$CHANGELOG_CONTENT" \ - --prerelease - else - gh release create ${{ github.ref_name }} \ - --title "Release ${{ github.ref_name }}" \ - --notes "$CHANGELOG_CONTENT" - fi - fi - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - build-release: - name: Build Release - needs: create-release - runs-on: ${{ matrix.os }} - permissions: - contents: write - strategy: - matrix: - include: - - os: ubuntu-latest - target: x86_64-unknown-linux-gnu - suffix: "" - - os: windows-latest - target: x86_64-pc-windows-msvc - suffix: ".exe" - - os: macos-latest - target: x86_64-apple-darwin - suffix: "" - - os: macos-latest - target: aarch64-apple-darwin - suffix: "" - - steps: - - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - with: - targets: ${{ matrix.target }} - - - name: Cache cargo registry - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-release-${{ hashFiles('**/Cargo.lock') }} - - - name: Build release binary - run: cargo build --release --target ${{ matrix.target }} - - - name: Create and upload archive - shell: bash - run: | - binary_name="code_guardian_cli${{ matrix.suffix }}" - if [ "${{ matrix.os }}" = "windows-latest" ]; then - archive_name="code-guardian-${{ matrix.target }}.zip" - cp "target/${{ matrix.target }}/release/${binary_name}" . - 7z a "${archive_name}" "${binary_name}" README.md - else - archive_name="code-guardian-${{ matrix.target }}.tar.gz" - cp "target/${{ matrix.target }}/release/${binary_name}" . - tar czf "${archive_name}" "${binary_name}" README.md - fi - gh release upload ${{ github.ref_name }} "./${archive_name}" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/_DEPRECATED/security-config.yml b/.github/workflows/_DEPRECATED/security-config.yml deleted file mode 100644 index 0dede8b..0000000 --- a/.github/workflows/_DEPRECATED/security-config.yml +++ /dev/null @@ -1,201 +0,0 @@ -name: Security Checks - -on: - push: - branches: [main, develop] - pull_request: - branches: [main] - schedule: - - cron: '0 0 * * 0' # Weekly on Sunday - workflow_dispatch: - -permissions: - contents: read - security-events: write - packages: read - -jobs: - vulnerability-scan: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - with: - fetch-depth: 0 - - - name: Set up Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Cache Cargo - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - - name: Run cargo-audit - uses: actions-rs/cargo-audit@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Run cargo-deny - uses: EmbarkStudios/cargo-deny-action@ef301417264190a1eb9f26fcf171642070085c5b - with: - command: check bans licenses sources - - - name: Run gitleaks - uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Run trufflehog - uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 - with: - path: ./ - base: main - head: HEAD - extra_args: --debug --only-verified - - code-security: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Set up Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Cache Cargo - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - - name: Run clippy security checks - run: cargo clippy -- -W clippy::suspicious -W clippy::correctness -D clippy::unwrap_used -D clippy::expect_used -A clippy::wildcard_imports -A clippy::unused_async -A clippy::missing_errors_doc - - - name: Check for unsafe code - run: | - unsafe_count=$(cargo clippy --message-format=json | jq -r '.message.spans[] | select(.text[]?.text | contains("unsafe")) | .text[]?.text' | wc -l) - if [ "$unsafe_count" -gt 0 ]; then - echo "Unsafe code found: $unsafe_count blocks" - exit 1 - fi - - dependency-security: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Set up Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Cache Cargo - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - - name: Check license compliance - run: cargo deny check licenses - - - name: Check outdated dependencies - run: cargo outdated --exit-code 1 - - - name: Generate SBOM - run: cargo cyclonedx --format json --output sbom.json - - - name: Upload SBOM - uses: actions/upload-artifact@v4 - with: - name: sbom - path: sbom.json - - report-and-incident: - runs-on: ubuntu-latest - needs: [vulnerability-scan, code-security, dependency-security] - if: always() - steps: - - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Download SBOM - uses: actions/download-artifact@v4 - with: - name: sbom - - - name: Generate security report - run: | - echo "# Security Report" > security-report.md - echo "## Vulnerability Scan" >> security-report.md - echo "Status: ${{ needs.vulnerability-scan.result }}" >> security-report.md - echo "## Code Security" >> security-report.md - echo "Status: ${{ needs.code-security.result }}" >> security-report.md - echo "## Dependency Security" >> security-report.md - echo "Status: ${{ needs.dependency-security.result }}" >> security-report.md - echo "## Thresholds" >> security-report.md - echo "- Critical vulnerabilities: 0" >> security-report.md - echo "- High vulnerabilities: 0" >> security-report.md - echo "- Medium vulnerabilities: 5" >> security-report.md - echo "- Low vulnerabilities: 10" >> security-report.md - echo "- Minimum coverage: 82%" >> security-report.md - echo "- Clippy warnings: 0" >> security-report.md - echo "- Unsafe blocks: 0" >> security-report.md - - - name: Upload security report - uses: actions/upload-artifact@v4 - with: - name: security-report - path: security-report.md - - - name: Check thresholds and create issue if failed - if: failure() - uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 - with: - script: | - const title = 'Security Check Failed'; - const body = `## Security Incident - - One or more security checks have failed. Please review the details: - - - Vulnerability Scan: ${{ needs.vulnerability-scan.result }} - - Code Security: ${{ needs.code-security.result }} - - Dependency Security: ${{ needs.dependency-security.result }} - - ### Thresholds Exceeded - - Critical vulnerabilities: 0 allowed - - High vulnerabilities: 0 allowed - - Medium vulnerabilities: 5 allowed - - Low vulnerabilities: 10 allowed - - Minimum test coverage: 82% - - Clippy warnings: 0 allowed - - Unsafe code blocks: 0 allowed - - ### Next Steps - 1. Review the security report artifact - 2. Address the identified issues - 3. Re-run the security checks - - This issue was auto-generated by the security workflow.`; - github.rest.issues.create({ - owner: context.repo.owner, - repo: context.repo.repo, - title: title, - body: body, - labels: ['security', 'incident'] - }); \ No newline at end of file diff --git a/.github/workflows/_DEPRECATED/security-enhancements.yml b/.github/workflows/_DEPRECATED/security-enhancements.yml deleted file mode 100644 index ef3233e..0000000 --- a/.github/workflows/_DEPRECATED/security-enhancements.yml +++ /dev/null @@ -1,277 +0,0 @@ -name: Security Enhancements & Vulnerability Detection - -# Least privilege permissions focused on security -permissions: - contents: read - security-events: write - packages: read - actions: read - -on: - schedule: - - cron: '0 4 * * 0' # Weekly Sunday at 4 AM UTC - workflow_dispatch: - pull_request: - branches: [ main, develop ] - -concurrency: - group: security-enhancements-${{ github.ref }} - cancel-in-progress: false - -env: - CARGO_TERM_COLOR: always - RUST_BACKTRACE: 1 - -jobs: - # Comprehensive vulnerability scanning - vulnerability-scan: - name: Vulnerability Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - with: - fetch-depth: 0 - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Install cargo-audit with vulnerability database - run: | - cargo install cargo-audit - cargo audit --db ~/.cargo/advisory-db - - - name: Run comprehensive vulnerability scan - run: | - echo "## 🔍 Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY - cargo audit --format markdown >> $GITHUB_STEP_SUMMARY || echo "Vulnerabilities found - check details above" >> $GITHUB_STEP_SUMMARY - - - name: Check for critical vulnerabilities - id: critical-vuln - run: | - if cargo audit --quiet --deny-warnings; then - echo "No critical vulnerabilities found" - echo "critical_vuln=false" >> $GITHUB_OUTPUT - else - echo "Critical vulnerabilities detected!" - echo "critical_vuln=true" >> $GITHUB_OUTPUT - fi - - - name: Upload SARIF report for GitHub Security tab - uses: github/codeql-action/upload-sarif@49144ccc36107322759661d92550d909ddb03d9e - if: always() - with: - sarif_file: audit-results.json - - # Dependency security analysis - dependency-security: - name: Dependency Security Analysis - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Install cargo-deny - uses: taiki-e/install-action@fa0639a7132933c4081764bded317e92c04e5c07 - with: - tool: cargo-deny - - - name: Run comprehensive cargo-deny checks - run: | - echo "## 📦 Dependency Security Analysis" >> $GITHUB_STEP_SUMMARY - cargo deny check advisories --format json | tee deny-advisories.json - cargo deny check licenses --format json | tee deny-licenses.json - cargo deny check bans --format json | tee deny-bans.json - cargo deny check sources --format json | tee deny-sources.json - - - name: Check for problematic dependencies - id: dependency-check - run: | - # Check for GPL licenses and other problematic dependencies - if cargo deny check licenses > /dev/null 2>&1; then - echo "License compliance check passed" - echo "license_issues=false" >> $GITHUB_OUTPUT - else - echo "License compliance issues detected" - echo "license_issues=true" >> $GITHUB_OUTPUT - fi - - # Secrets detection and prevention - secrets-detection: - name: Secrets Detection - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - with: - fetch-depth: 0 - - - name: Gitleaks scan - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: TruffleHog scan - uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 - with: - path: ./ - base: main - head: HEAD - extra_args: --debug --only-verified - - - name: Detect hardcoded secrets patterns - run: | - echo "## 🔐 Secrets Detection Results" >> $GITHUB_STEP_SUMMARY - # Check for common patterns - patterns="password|secret|key|token|auth" - if grep -r -i "$patterns" --include="*.rs" --include="*.toml" --include="*.json" --include="*.yaml" --include="*.yml" . | grep -v "test" | grep -v "example" | head -10; then - echo "Potential secrets patterns detected:" >> $GITHUB_STEP_SUMMARY - grep -r -i "$patterns" --include="*.rs" --include="*.toml" --include="*.json" --include="*.yaml" --include="*.yml" . | grep -v "test" | grep -v "example" | head -10 >> $GITHUB_STEP_SUMMARY - else - echo "No hardcoded secrets patterns detected" >> $GITHUB_STEP_SUMMARY - fi - - # Code security scanning - code-security: - name: Code Security Analysis - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - with: - components: clippy - - - name: Run security-focused clippy - run: | - echo "## 🔒 Security Clippy Analysis" >> $GITHUB_STEP_SUMMARY - cargo clippy --all-targets --all-features -- \ - -W clippy::pedantic \ - -W clippy::nursery \ - -W clippy::suspicious \ - -W clippy::correctness \ - -D clippy::unwrap_used \ - -D clippy::expect_used \ - -D clippy::panic \ - -D clippy::unimplemented \ - -D clippy::todo \ - -D clippy::missing_safety_doc \ - -D clippy::missing_panics_doc - - - name: Check for unsafe code usage - run: | - echo "## 🚨 Unsafe Code Analysis" >> $GITHUB_STEP_SUMMARY - unsafe_count=$(grep -r "unsafe" --include="*.rs" . | wc -l) - echo "Unsafe code blocks found: $unsafe_count" >> $GITHUB_STEP_SUMMARY - if [ "$unsafe_count" -gt 0 ]; then - grep -r "unsafe" --include="*.rs" . | head -5 >> $GITHUB_STEP_SUMMARY - fi - - # SBOM generation and analysis - sbom-generation: - name: Software Bill of Materials - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Install cargo-license - run: cargo install cargo-license - - - name: Generate SBOM - run: | - echo "## 📋 Software Bill of Materials (SBOM)" >> $GITHUB_STEP_SUMMARY - cargo license --json > sbom.json - cargo license --tsv > sbom.tsv - echo "SBOM generated successfully" >> $GITHUB_STEP_SUMMARY - - - name: Upload SBOM artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 - with: - name: sbom-reports - path: | - sbom.json - sbom.tsv - - # Security summary and reporting - security-summary: - name: Security Summary - runs-on: ubuntu-latest - needs: [vulnerability-scan, dependency-security, secrets-detection, code-security, sbom-generation] - if: always() - steps: - - name: Security Summary Report - run: | - echo "## 🛡️ Comprehensive Security Summary" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - - # Collect results from all security jobs - results=("vulnerability-scan" "dependency-security" "secrets-detection" "code-security" "sbom-generation") - critical_failures=0 - warnings=0 - - for check in "${results[@]}"; do - result="${{ needs.$check.result }}" - if [[ "$result" == "success" ]]; then - echo "✅ $check: PASSED" >> $GITHUB_STEP_SUMMARY - elif [[ "$result" == "skipped" ]]; then - echo "⏭️ $check: SKIPPED" >> $GITHUB_STEP_SUMMARY - else - echo "❌ $check: FAILED" >> $GITHUB_STEP_SUMMARY - critical_failures=$((critical_failures + 1)) - fi - done - - echo "" >> $GITHUB_STEP_SUMMARY - if [[ "$critical_failures" -eq 0 ]]; then - echo "### ✅ All Security Checks Passed" >> $GITHUB_STEP_SUMMARY - echo "No critical security issues detected" >> $GITHUB_STEP_SUMMARY - else - echo "### ❌ Security Issues Require Attention" >> $GITHUB_STEP_SUMMARY - echo "$critical_failures critical security issue(s) detected" >> $GITHUB_STEP_SUMMARY - fi - - echo "" >> $GITHUB_STEP_SUMMARY - echo "### 🔧 Security Recommendations" >> $GITHUB_STEP_SUMMARY - echo "- Regularly update dependencies to address known vulnerabilities" >> $GITHUB_STEP_SUMMARY - echo "- Review license compliance for third-party dependencies" >> $GITHUB_STEP_SUMMARY - echo "- Avoid using unwrap/expect in production code" >> $GITHUB_STEP_SUMMARY - echo "- Use secret scanning to prevent credential leaks" >> $GITHUB_STEP_SUMMARY - echo "- Monitor cargo-audit for new security advisories" >> $GITHUB_STEP_SUMMARY - echo "- Generate and review SBOM regularly" >> $GITHUB_STEP_SUMMARY - - - name: Create security issue if critical failures - if: failure() - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b - with: - script: | - const issueTitle = `Security Scan Detected Critical Issues - ${new Date().toISOString().split('T')[0]}`; - const issueBody = ` - ## 🚨 Critical Security Issues Detected - - Our automated security scan has detected critical security issues that require immediate attention. - - ### Failed Security Checks: - ${process.env.GITHUB_JOB} - - Please review the security scan results and address the identified vulnerabilities. - - ### Next Steps: - 1. Review the security scan report - 2. Address critical vulnerabilities immediately - 3. Update dependencies as needed - 4. Re-run security scans after fixes - - **Note:** This issue was automatically generated by the security enhancement workflow. - `; - - await github.rest.issues.create({ - owner: context.repo.owner, - repo: context.repo.repo, - title: issueTitle, - body: issueBody, - labels: ['security', 'critical', 'automated'] - }); \ No newline at end of file diff --git a/.github/workflows/_DEPRECATED/security.yml b/.github/workflows/_DEPRECATED/security.yml deleted file mode 100644 index 2b8b423..0000000 --- a/.github/workflows/_DEPRECATED/security.yml +++ /dev/null @@ -1,283 +0,0 @@ -name: Security & Compliance - -# Least privilege permissions for security scanning -permissions: - contents: read - security-events: write - actions: read - packages: read - -on: - push: - branches: [ main, develop ] - pull_request: - branches: [ main ] - schedule: - - cron: '0 2 * * 0' # Weekly on Sunday at 2 AM UTC - workflow_dispatch: - -concurrency: - group: security-${{ github.ref }} - cancel-in-progress: true - -env: - CARGO_TERM_COLOR: always - SCCACHE_GHA_ENABLED: "false" - # RUSTC_WRAPPER: "sccache" # Disabled due to service unavailability - -jobs: - security-audit: - name: Security Audit - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - # sccache temporarily disabled due to service unavailability - # - name: Install sccache - # uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Install cargo-audit - uses: taiki-e/install-action@fa0639a7132933c4081764bded317e92c04e5c07 - with: - tool: cargo-audit - - - name: Run security audit - run: cargo audit --format json | tee audit-results.json - - - name: Install cargo-deny - uses: taiki-e/install-action@fa0639a7132933c4081764bded317e92c04e5c07 - with: - tool: cargo-deny - - - name: Run cargo-deny checks - run: | - cargo deny check --format json | tee deny-results.json || echo "cargo-deny found issues" - cargo deny check advisories - cargo deny check licenses - cargo deny check bans - cargo deny check sources - - - name: Upload security reports - uses: actions/upload-artifact@v4 - with: - name: security-audit-reports - path: | - audit-results.json - deny-results.json - - vulnerability-scan: - name: Vulnerability Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - # sccache temporarily disabled due to service unavailability - # - name: Install sccache - # uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Install cargo-audit - uses: taiki-e/install-action@fa0639a7132933c4081764bded317e92c04e5c07 - with: - tool: cargo-audit - - - name: Run comprehensive vulnerability scan - run: | - echo "## 🔍 Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY - cargo audit --format markdown >> $GITHUB_STEP_SUMMARY || echo "Vulnerabilities found - check details above" >> $GITHUB_STEP_SUMMARY - - dependency-analysis: - name: Dependency Analysis - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - # sccache temporarily disabled due to service unavailability - # - name: Install sccache - # uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Install cargo-outdated - run: cargo install cargo-outdated - - - name: Check for outdated dependencies - run: | - echo "## 📦 Dependency Status" >> $GITHUB_STEP_SUMMARY - cargo outdated --format json | tee outdated.json || echo "Some dependencies are outdated" >> $GITHUB_STEP_SUMMARY - - - name: Install cargo-udeps - run: cargo install cargo-udeps - - - name: Check for unused dependencies - run: | - echo "## 🗑️ Unused Dependencies" >> $GITHUB_STEP_SUMMARY - cargo +nightly udeps --workspace --output json | tee udeps-results.json || echo "Unused dependencies check completed" >> $GITHUB_STEP_SUMMARY - - - name: Upload dependency reports - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 - with: - name: dependency-reports - path: | - outdated.json - udeps-results.json - - license-compliance: - name: License Compliance - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - # sccache temporarily disabled due to service unavailability - # - name: Install sccache - # uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - - - name: Install cargo-license - run: cargo install cargo-license - - - name: Check licenses - run: | - cargo license --json > licenses.json - cargo license --tsv > licenses.tsv - - - name: License compliance check - run: | - echo "## 📄 License Compliance Report" >> $GITHUB_STEP_SUMMARY - echo "| Package | License | Version |" >> $GITHUB_STEP_SUMMARY - echo "|---------|---------|---------|" >> $GITHUB_STEP_SUMMARY - tail -n +2 licenses.tsv | while IFS=$'\t' read -r package license version; do - echo "| $package | $license | $version |" >> $GITHUB_STEP_SUMMARY - done - - - name: Check for GPL licenses - run: | - if grep -q "GPL" licenses.tsv; then - echo "::warning::GPL licensed dependencies found - review for compliance" - echo "GPL dependencies detected:" >> $GITHUB_STEP_SUMMARY - grep "GPL" licenses.tsv >> $GITHUB_STEP_SUMMARY - fi - - - name: Upload license reports - uses: actions/upload-artifact@v4 - with: - name: license-reports - path: | - licenses.json - licenses.tsv - - code-security-scan: - name: Code Security Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - # sccache temporarily disabled due to service unavailability - # - name: Install sccache - # uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd - - - name: Install Rust - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - with: - components: clippy - - - name: Run security-focused clippy - run: | - echo "## 🔒 Security Clippy Results" >> $GITHUB_STEP_SUMMARY - cargo clippy --all-targets --all-features -- \ - -W clippy::suspicious \ - -W clippy::correctness \ - -D clippy::unwrap_used \ - -D clippy::expect_used \ - -D clippy::panic \ - -D clippy::unimplemented \ - -D clippy::todo \ - -A clippy::unused_async \ - -A clippy::missing_errors_doc \ - -A clippy::unnecessary_wraps \ - -A clippy::wildcard_imports \ - -A clippy::unused_self \ - 2>&1 | tee clippy-security.log || echo "Security clippy completed with warnings" >> $GITHUB_STEP_SUMMARY - - - name: Check for security issues - run: | - if grep -q "error\|warning" clippy-security.log; then - echo "::warning::Security-related code issues found" - echo "Security issues detected in code:" >> $GITHUB_STEP_SUMMARY - grep -E "(error|warning)" clippy-security.log >> $GITHUB_STEP_SUMMARY - fi - - - name: Upload security scan results - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 - with: - name: code-security-reports - path: clippy-security.log - - secrets-scan: - name: Secrets Detection - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - - - name: Scan for secrets - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: TruffleHog scan - uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 - with: - path: ./ - base: main - head: HEAD - extra_args: --debug --only-verified - - security-summary: - name: Security Summary - runs-on: ubuntu-latest - needs: [security-audit, vulnerability-scan, dependency-analysis, license-compliance, code-security-scan, secrets-scan] - if: always() - steps: - - name: Security Summary Report - run: | - echo "## 🛡️ Security & Compliance Summary" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - - results=("security-audit" "vulnerability-scan" "dependency-analysis" "license-compliance" "code-security-scan" "secrets-scan") - all_passed=true - - for check in "${results[@]}"; do - result="${{ needs.$check.result }}" - if [[ "$result" == "success" ]]; then - echo "✅ $check: PASSED" >> $GITHUB_STEP_SUMMARY - elif [[ "$result" == "skipped" ]]; then - echo "⏭️ $check: SKIPPED" >> $GITHUB_STEP_SUMMARY - else - echo "❌ $check: FAILED" >> $GITHUB_STEP_SUMMARY - all_passed=false - fi - done - - echo "" >> $GITHUB_STEP_SUMMARY - if [[ "$all_passed" == true ]]; then - echo "### ✅ All Security Checks Passed" >> $GITHUB_STEP_SUMMARY - else - echo "### ❌ Security Issues Detected" >> $GITHUB_STEP_SUMMARY - echo "Please review the individual job results and address any security concerns." >> $GITHUB_STEP_SUMMARY - fi - - echo "" >> $GITHUB_STEP_SUMMARY - echo "### 🔧 Security Recommendations" >> $GITHUB_STEP_SUMMARY - echo "- Regularly update dependencies to address known vulnerabilities" >> $GITHUB_STEP_SUMMARY - echo "- Review license compliance for third-party dependencies" >> $GITHUB_STEP_SUMMARY - echo "- Avoid using unwrap/expect in production code" >> $GITHUB_STEP_SUMMARY - echo "- Use secret scanning to prevent credential leaks" >> $GITHUB_STEP_SUMMARY - echo "- Monitor cargo-audit for new security advisories" >> $GITHUB_STEP_SUMMARY \ No newline at end of file diff --git a/.github/workflows/enhanced-ci.yml b/.github/workflows/enhanced-ci.yml index 8fac0e5..08e8cf1 100644 --- a/.github/workflows/enhanced-ci.yml +++ b/.github/workflows/enhanced-ci.yml @@ -142,7 +142,7 @@ jobs: id: clippy-check run: | echo "🔧 Running clippy..." - if ! cargo clippy --all-targets --all-features -- -W warnings; then + if ! cargo clippy --all-targets --all-features -- -D warnings; then echo "Clippy issues found, attempting fixes..." cargo clippy --all-targets --all-features --fix --allow-dirty echo "clippy_fixed=true" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index bdf3b39..348fbc4 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -46,7 +46,7 @@ jobs: sleep 10 # Trigger the enhanced release workflow - gh workflow run enhanced-release.yml -f tag="${{ needs.release-please.outputs.tag_name }}" + gh workflow run release-consolidated.yml -f tag="${{ needs.release-please.outputs.tag_name }}" echo "✅ Enhanced release workflow triggered for ${{ needs.release-please.outputs.tag_name }}" env: diff --git a/.opencode/package.json b/.opencode/package.json index 63bd9cb..9e20577 100644 --- a/.opencode/package.json +++ b/.opencode/package.json @@ -4,7 +4,7 @@ "description": "OpenCode plugin for Code Guardian, providing linting and testing best practices", "type": "module", "dependencies": { - "@opencode-ai/plugin": "0.15.10" + "@opencode-ai/plugin": "0.15.11" }, "devDependencies": { "@babel/core": "^7.28.4", diff --git a/CHANGELOG.md b/CHANGELOG.md index 98bbf52..3a841c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,62 +2,50 @@ All notable changes to this project will be documented in this file. -## [0.2.0] - 2025-10-21 -### ⚙️ Miscellaneous Tasks +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -- Update release-please manifest to v0.1.9 +## [Unreleased] +## [0.1.9] - 2025-10-21 ### 🚀 Features - Add production-ready CI/CD, documentation, testing, and monitoring features - ## [0.1.8] - 2025-10-21 + ### 🐛 Bug Fixes - Resolve GitHub Actions failures - - Resolve security workflow issues - - Final security workflow fixes - - Final security workflow syntax and artifact issues - - Add gitleaks configuration to handle test data (#21) - - Resolve TruffleHog BASE/HEAD same commit issue (#24) - ### 🚀 Features - Consolidate workflows following GitHub Actions best practices - ## [0.1.7] - 2025-10-18 -### ⚙️ Miscellaneous Tasks - -- Bump version to 0.1.5 for patch release - -- Prepare for v0.1.5 release - -- Bump version to 0.1.5 for patch release - ### 🐛 Bug Fixes - Resolve CI issues for v0.1.7 release - update metrics expect to unwrap, add gitleaks config, fix workflow permissions and syntax - ### 💼 Other -- Add Prometheus metrics support\n\n- Add comprehensive metrics collection for scans, performance, and resources\n- Implement HTTP endpoint for Prometheus scraping\n- Add dependencies: prometheus, axum, async-trait, aho-corasick\n- Bump version to 0.1.6 across all crates +- Add Prometheus metrics support + - Add comprehensive metrics collection for scans, performance, and resources + - Implement HTTP endpoint for Prometheus scraping + - Add dependencies: prometheus, axum, async-trait, aho-corasick + - Bump version to 0.1.6 across all crates - Enhance CI/CD pipelines with sccache, nextest, and incremental builds - Adjust clippy settings to treat warnings as warnings instead of errors for 0.1.7 release - ### 🚀 Features - Add Perplexity AI provider support @@ -70,34 +58,26 @@ All notable changes to this project will be documented in this file. - Enhance detector factory and LLM detection capabilities - ### 🚜 Refactor - Update perplexity agents to use frontmatter config with temperature - ## [0.1.6] - 2025-10-16 -### ⚙️ Miscellaneous Tasks - -- Bump version to 0.1.6 for patch release - ## [0.1.4] - 2025-10-16 + ### 🐛 Bug Fixes - Update changelog for v0.1.3 and fix release workflow YAML formatting - ### 💼 Other - Remove temporary GOAP coordination files - ### 📚 Documentation - Update agent documentation with GOAP coordination learnings - ### 🚀 Features - GOAP Phase 1-2 Quality Check Optimization @@ -108,20 +88,18 @@ All notable changes to this project will be documented in this file. - Complete Phase 1 & 2 implementation - Quality checks and comprehensive test coverage -- Complete Phase 1 & 2 implementation - Quality checks and comprehensive test coverage - - Add Phase 3 optimization files and documentation - ## [0.1.3] - 2025-10-12 + ### 🚀 Features - Add monitoring workflow to track recent workflow failures - Complete GitHub workflows and branch protection - ## [0.1.3-test] - 2025-10-10 + ### 🐛 Bug Fixes - Apply cargo fmt formatting @@ -140,12 +118,10 @@ All notable changes to this project will be documented in this file. - Correct indentation in coverage job - ### 📚 Documentation - Optimize ci-agent.md with orchestration workflow and agent handoffs - ### 🚀 Features - Add comprehensive code quality automation @@ -154,14 +130,10 @@ All notable changes to this project will be documented in this file. - Enhance Makefile with comprehensive development targets - ## [0.1.2] - 2025-10-09 -### 💼 Other - -- Bump version to 0.1.2 - ## [0.1.1] - 2025-10-09 + ### 🐛 Bug Fixes - Resolve CI and release workflow issues for v0.1.1-alpha @@ -176,29 +148,12 @@ All notable changes to this project will be documented in this file. - Change text formatter to simple text output for cross-platform compatibility - -### 💼 Other - -- Update ci-agent tools and add lib.rs cleanups - -- Bump version to 0.2.0 - -- Bump version to 0.1.1 - -- Bump version to 0.1.1 - -- Bump version to 0.1.1 - - ### 📚 Documentation - Add git integration demo example -- Update CHANGELOG.md - - Add atomic-commit command documentation - ### 🚀 Features - Enhance text formatter test with header assertions and add dev container configuration @@ -211,14 +166,7 @@ All notable changes to this project will be documented in this file. - Add core modules for caching and monitoring - ## [0.1.1-alpha] - 2025-10-07 -### ⚙️ Miscellaneous Tasks - -- Update changelog for v0.1.0 - -- Prepare for release v0.1.1-alpha - ### 🐛 Bug Fixes @@ -226,20 +174,24 @@ All notable changes to this project will be documented in this file. - Add Codecov token to resolve rate limit issue - ### 💼 Other - Update workflow to use GitHub artifacts for coverage instead of external services - ### 📚 Documentation - Enhance release command documentation with branch sync, dry-run, and best practices - ## [0.1.0] - 2025-10-06 + ### 🐛 Bug Fixes - Format code with cargo fmt +### 🚀 Features + +- Add best practice GitHub Ruleset JSON + +- Add monitoring of GitHub Actions to release command +- Update various components, add production handlers, examples, and remove plans file \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index f090231..47c18c9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -400,7 +400,7 @@ checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d" [[package]] name = "code-guardian-core" -version = "0.1.7" +version = "0.2.0" dependencies = [ "aho-corasick", "anyhow", @@ -438,7 +438,7 @@ dependencies = [ [[package]] name = "code-guardian-output" -version = "0.1.7" +version = "0.2.0" dependencies = [ "anyhow", "chrono", @@ -454,7 +454,7 @@ dependencies = [ [[package]] name = "code-guardian-storage" -version = "0.1.7" +version = "0.2.0" dependencies = [ "anyhow", "chrono", @@ -470,7 +470,7 @@ dependencies = [ [[package]] name = "code_guardian_cli" -version = "0.1.8" +version = "0.2.0" dependencies = [ "anyhow", "assert_cmd",