WeFlow/.github/workflows/security-scan.yml

name: Security Scan

on:
  schedule:
    - cron: '0 2 * * *'  # 每天 UTC 02:00
  workflow_dispatch:     # 手动触发
  pull_request:          # PR 时触发
    branches: [ main, dev ]

permissions:
  contents: read
  security-events: write
  actions: read

jobs:
  security-scan:
    name: Security Scan (${{ matrix.branch }})
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        branch:
          - main

    steps:
      - name: Checkout ${{ matrix.branch }}
        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.branch }}
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm' # 使用 npm 缓存加速

      - name: Install dependencies
        run: npm ci --ignore-scripts

      # 1. npm audit - 检查依赖漏洞
      - name: Dependency vulnerability audit
        run: npm audit --audit-level=moderate
        continue-on-error: true

      # 2. CodeQL 静态分析
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript, typescript
          queries: security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: '/language:javascript-typescript/branch:${{ matrix.branch }}'

      # 3. 密钥/敏感信息扫描
      - name: Secret scanning with Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        continue-on-error: true

  # 动态获取所有分支并扫描
  scan-all-branches:
    name: Scan additional branches
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run npm audit on all branches
        run: |
          git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do
            echo "===== Auditing branch: $branch ====="
            git checkout "$branch" 2>/dev/null || continue
            # 尝试安装并审计
            npm ci --ignore-scripts --silent 2>/dev/null || npm install --ignore-scripts --silent 2>/dev/null || true
            npm audit --audit-level=moderate 2>/dev/null || true
          done
        continue-on-error: true