Security Scan #302
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: "0 2 * * *" | |
| jobs: | |
| security-audit: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "18" | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run npm audit | |
| run: npm audit --audit-level high | |
| - name: Run security scan with CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript, typescript | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:javascript" | |
| rust-security-audit: | |
| name: Rust Security Audit | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: codex-rs | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Cache Cargo registry | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cargo/registry | |
| key: ${{ runner.os }}-registry-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-registry- | |
| - name: Run cargo-deny | |
| uses: EmbarkStudios/cargo-deny-action@v2 | |
| with: | |
| rust-version: stable | |
| manifest-path: codex-rs/Cargo.toml | |
| - name: Install cargo-audit | |
| uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-audit | |
| - name: Run cargo-audit | |
| run: cargo audit --deny warnings | |
| continue-on-error: false | |
| dependency-check: | |
| name: Dependency Vulnerability Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "18" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run OWASP Dependency Check | |
| uses: dependency-check/Dependency-Check_Action@main | |
| with: | |
| project: "Codex" | |
| path: "." | |
| format: "ALL" | |
| args: > | |
| --enableRetired | |
| --enableExperimental | |
| --nvdValidForHours 24 | |
| - name: Upload dependency check results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dependency-check-report | |
| path: reports/ | |
| sandbox-security-test: | |
| name: Sandbox Security Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "18" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build Codex | |
| run: npm run build | |
| continue-on-error: true | |
| - name: Run sandbox escape tests | |
| run: | | |
| # Create test sandbox | |
| mkdir -p /tmp/sandbox-test | |
| cd /tmp/sandbox-test | |
| # Test 1: File system isolation | |
| echo "Testing file system isolation..." | |
| timeout 30s node -e " | |
| const { execSync } = require('child_process'); | |
| try { | |
| execSync('node ../codex-cli/codex sandbox-test file-access'); | |
| console.log('EFile access test passed'); | |
| } catch (e) { | |
| console.log('EFile access test failed:', e.message); | |
| } | |
| " || true | |
| # Test 2: Network isolation | |
| echo "Testing network isolation..." | |
| timeout 30s node -e " | |
| const { execSync } = require('child_process'); | |
| try { | |
| execSync('node ../codex-cli/codex sandbox-test network-access'); | |
| console.log('ENetwork isolation test passed'); | |
| } catch (e) { | |
| console.log('ENetwork isolation test failed:', e.message); | |
| } | |
| " || true | |
| # Test 3: Process isolation | |
| echo "Testing process isolation..." | |
| timeout 30s node -e " | |
| const { execSync } = require('child_process'); | |
| try { | |
| execSync('node ../codex-cli/codex sandbox-test process-creation'); | |
| console.log('EProcess isolation test passed'); | |
| } catch (e) { | |
| console.log('EProcess isolation test failed:', e.message); | |
| } | |
| " || true | |
| secrets-detection: | |
| name: Secrets Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} | |
| head: ${{ github.sha }} | |
| extra_args: --only-verified | |
| continue-on-error: true | |
| container-security: | |
| name: Container Security Scan | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build test container | |
| run: | | |
| if [ -f "Dockerfile" ]; then | |
| docker build -t codex-test . | |
| else | |
| echo "No Dockerfile found, skipping container scan" | |
| fi | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| if: success() | |
| with: | |
| scan-type: "image" | |
| scan-ref: "codex-test" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: success() | |
| with: | |
| sarif_file: "trivy-results.sarif" |