-
Notifications
You must be signed in to change notification settings - Fork 10
99 lines (83 loc) · 4.1 KB
/
security-agent-workflow.yml
File metadata and controls
99 lines (83 loc) · 4.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Security Agent Workflow
# Original author: Elio Struyf
# Reference: https://www.eliostruyf.com/custom-security-agent-github-copilot-actions/
name: Security Agent Workflow
on:
workflow_dispatch:
jobs:
security-assessment:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 22
- name: Install GitHub Copilot CLI
run: npm i -g @github/copilot
- name: Run Security Agent via Copilot CLI
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: |
set -euo pipefail
# Verify agent file exists
if [ ! -f ".github/agents/security-agent.md" ]; then
echo "Error: Security agent file not found"
exit 1
fi
AGENT_PROMPT=$(cat .github/agents/security-agent.md)
PROMPT="$AGENT_PROMPT"
PROMPT+=$'\n\nContext:\n'
PROMPT+="- Repository: $GITHUB_REPOSITORY"
PROMPT+=$'\n\nTask:\n'
PROMPT+="- Execute the instructions on the full codebase"
PROMPT+="- Generate the security report at security-reports/security-assessment-report.md summarizing findings, severity, and remediation guidance."
PROMPT+=$'\n\nIMPORTANT: Complete the analysis and save the report file. Do not wait for user input.'
# Run with timeout to prevent hanging
timeout 600 copilot --prompt "$PROMPT" --allow-all-tools --allow-all-paths < /dev/null || {
exit_code=$?
if [ $exit_code -eq 124 ]; then
echo "Warning: Copilot CLI timed out after 10 minutes"
fi
# Continue even if copilot exits non-zero, report may still be generated
echo "Copilot CLI exited with code: $exit_code"
}
- name: Output security report as summary
if: always()
run: |
set -euo pipefail
REPORT_PATH="security-reports/security-assessment-report.md"
if [ ! -f "$REPORT_PATH" ]; then
echo "No security report generated; skipping summary."
exit 0
fi
echo "## Security Assessment Report" >> $GITHUB_STEP_SUMMARY
cat "$REPORT_PATH" >> $GITHUB_STEP_SUMMARY
- name: Upload security report artifact
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: security-assessment-report-${{ github.run_id }}
path: security-reports/security-assessment-report.md
retention-days: 30
- name: Check for critical vulnerabilities
if: always()
run: |
set -euo pipefail
REPORT_PATH="security-reports/security-assessment-report.md"
if [ ! -f "$REPORT_PATH" ]; then
echo "No security report generated; skipping critical check."
exit 0
fi
if grep -q "THIS ASSESSMENT CONTAINS A CRITICAL VULNERABILITY" "$REPORT_PATH"; then
echo "❌ CRITICAL VULNERABILITY DETECTED - Workflow failed"
echo "The security assessment found critical vulnerabilities that must be addressed before proceeding."
exit 1
else
echo "✅ No critical vulnerabilities detected"
fi