feat(ci): enhance security scanning with granular controls

mrz1836 · mrz1836 · commit baa4aaf5b206 · 2025-07-22T09:48:35.000-04:00
- Split ENABLE_SECURITY_SCANS into individual tool flags
- Add separate controls for nancy, govulncheck, and gitleaks
- Update security workflow with enhanced vulnerability scanning
diff --git a/.github/.env.shared b/.github/.env.shared
@@ -38,12 +38,14 @@ SECONDARY_RUNNER=ubuntu-24.04          # Set identical to PRIMARY_RUNNER if you
 # ───────────────────────────────────────────────────────────────────────────────
 # ENV: Feature Flags
 # ───────────────────────────────────────────────────────────────────────────────
-ENABLE_BENCHMARKS=true                 # Enable benchmark tests (runs make bench)
+ENABLE_BENCHMARKS=true                 # Enable benchmark tests (runs make bench) (this needs more work before it can be enabled)
 ENABLE_CODE_COVERAGE=true              # Enable code coverage reporting (upload to Codecov)
 ENABLE_FUZZ_TESTING=true               # Enable fuzz running tests (requires Go 1.18+)
 ENABLE_GO_LINT=true                    # Enable Go code linting steps (golangci-lint)
 ENABLE_RACE_DETECTION=true             # Enable Go's race detector in tests (-race flag)
-ENABLE_SECURITY_SCANS=true             # Enable tools like gitleaks, govulncheck, nancy
+ENABLE_SECURITY_SCAN_NANCY=true        # Enable Nancy dependency vulnerability checks
+ENABLE_SECURITY_SCAN_GOVULNCHECK=true  # Enable govulncheck Go vulnerability scanning (Issue with https://pkg.go.dev/vuln/GO-2024-3218)
+ENABLE_SECURITY_SCAN_GITLEAKS=true     # Enable Gitleaks secret scanning
 ENABLE_STATIC_ANALYSIS=true            # Enable static analysis jobs (go vet)
 ENABLE_VERBOSE_TEST_OUTPUT=false       # Enable verbose output for test runs (can slow down CI)
 ENABLE_YAML_LINT=true                  # Enable YAML format validation (prettier with editorconfig)
diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml
@@ -17,6 +17,21 @@ on:
         description: "JSON string of environment variables"
         required: true
         type: string
+      enable-nancy:
+        description: "Enable Nancy security scan"
+        required: false
+        type: boolean
+        default: true
+      enable-govulncheck:
+        description: "Enable govulncheck security scan"
+        required: false
+        type: boolean
+        default: true
+      enable-gitleaks:
+        description: "Enable Gitleaks security scan"
+        required: false
+        type: boolean
+        default: true
       primary-runner:
         description: "Primary runner OS"
         required: true
@@ -43,6 +58,7 @@ jobs:
   ask-nancy:
     name: 🛡️ Ask Nancy (Dependency Checks)
     runs-on: ${{ inputs.primary-runner }}
+    if: ${{ inputs.enable-nancy }}
     steps:
       # ————————————————————————————————————————————————————————————————
       # Parse environment variables
@@ -124,6 +140,7 @@ jobs:
   govulncheck:
     name: 🔐 Run govulncheck (Vulnerability Scan)
     runs-on: ${{ inputs.primary-runner }}
+    if: ${{ inputs.enable-govulncheck }}
     steps:
       # ————————————————————————————————————————————————————————————————
       # Parse environment variables
@@ -229,7 +246,7 @@ jobs:
   gitleaks:
     name: 🕵️ Run Gitleaks (Secret Scan)
     runs-on: ${{ inputs.primary-runner }}
-    if: github.event.pull_request.head.repo.full_name == github.repository
+    if: ${{ inputs.enable-gitleaks }}
     steps:
       # ————————————————————————————————————————————————————————————————
       # Parse environment variables
@@ -243,6 +260,38 @@ jobs:
             echo "$key=$value" >> $GITHUB_ENV
           done
 
+      # ————————————————————————————————————————————————————————————————
+      # Check repository security conditions
+      # ————————————————————————————————————————————————————————————————
+      - name: 🔍 Check repository security conditions
+        id: repo-check
+        env:
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_HEAD_REF: ${{ github.head_ref }}
+          PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+        run: |
+          echo "🔍 Checking repository security conditions..."
+          echo "Event Name: $GITHUB_EVENT_NAME"
+          echo "Actor: $GITHUB_ACTOR"
+          echo "Repository: $GITHUB_REPOSITORY"
+          echo "Head Ref: $GITHUB_HEAD_REF"
+
+          # For workflow_call, we typically trust the calling workflow from the same repo
+          # For pull_request events, check if head repo matches base repo
+          if [[ "$GITHUB_EVENT_NAME" == "workflow_call" ]]; then
+            echo "✅ Workflow call from same repository - security scans allowed"
+            echo "is_same_repo=true" >> $GITHUB_OUTPUT
+          elif [[ "$PR_HEAD_REPO" == "$GITHUB_REPOSITORY" ]] || [[ -z "$PR_HEAD_REPO" ]]; then
+            echo "✅ Same repository or push event - security scans allowed"
+            echo "is_same_repo=true" >> $GITHUB_OUTPUT
+          else
+            echo "⚠️  Fork detected - skipping secret-sensitive scans for security"
+            echo "PR Head Repo: $PR_HEAD_REPO"
+            echo "is_same_repo=false" >> $GITHUB_OUTPUT
+          fi
+
       # ————————————————————————————————————————————————————————————————
       # Checkout code and set up Go environment
       # ————————————————————————————————————————————————————————————————
@@ -252,6 +301,7 @@ jobs:
           fetch-depth: 0 # Fetch all history so Gitleaks can scan commits
 
       - name: 🔍 Run gitleaks scan
+        if: steps.repo-check.outputs.is_same_repo == 'true'
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v8.27.2
         env:
           GITHUB_TOKEN: ${{ secrets.github-token }}
@@ -263,6 +313,7 @@ jobs:
           GITLEAKS_VERSION: ${{ env.GITLEAKS_VERSION }}
 
       - name: 📊 Job Summary
+        if: steps.repo-check.outputs.is_same_repo == 'true'
         run: |
           echo "## 🕵️ Gitleaks Secret Scan Summary" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -274,3 +325,17 @@ jobs:
           echo "| **Result** | ✅ No secrets detected (see logs for details) |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "🎯 **Secret scan completed successfully.**" >> $GITHUB_STEP_SUMMARY
+
+      - name: 📊 Fork Security Notice
+        if: steps.repo-check.outputs.is_same_repo == 'false'
+        run: |
+          echo "## 🕵️ Gitleaks Secret Scan Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| 🔒 Security Details | ⚠️  Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|---|---|" >> $GITHUB_STEP_SUMMARY
+          echo "| **Tool** | Gitleaks |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Fork Detected** | ${{ github.event.pull_request.head.repo.full_name || 'N/A (not a PR event)' }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Base Repository** | ${{ github.repository }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Result** | ⚠️  Skipped for security (fork cannot access secrets) |" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "🔒 **Secret scanning was skipped because this PR comes from a fork. This is a security feature to prevent secret exposure.**" >> $GITHUB_STEP_SUMMARY
