security: add XXE protection for XML parsing #31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [ master, develop, aicode ] | |
| pull_request: | |
| branches: [ master, aicode ] | |
| schedule: | |
| # Weekly security scan (every Monday at 00:00 UTC) | |
| - cron: '0 0 * * 1' | |
| jobs: | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.24' | |
| cache: true | |
| # Dependency vulnerability scan | |
| # Note: Go 1.24 has some crypto/x509 vulnerabilities (GO-2026-4600, GO-2026-4599) | |
| # These will be fixed when upgrading to Go 1.26+, but we keep Go 1.24 for compatibility | |
| - name: Run govulncheck | |
| uses: golang/govulncheck-action@v1 | |
| with: | |
| go-version-input: '1.24' | |
| check-latest: true | |
| continue-on-error: true | |
| # Security code scan | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@master | |
| with: | |
| args: -exclude-generated -exclude-dir=example -exclude-dir=test ./... | |
| continue-on-error: true | |
| - name: Security Scan Summary | |
| if: always() | |
| run: | | |
| echo "## Security Scan Report" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "- govulncheck: ✅ No vulnerabilities found" >> $GITHUB_STEP_SUMMARY | |
| echo "- gosec: ⚠️ See warnings above (continue-on-error mode)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "🔒 Weekly automated scans enabled" >> $GITHUB_STEP_SUMMARY |