1  name: Security Policy
 2  on: [push, pull_request]
 3  jobs:
 4    check:
 5      runs-on: ubuntu-latest
 6      steps:
 7        - uses: actions/checkout@v6.0.1
 8        - name: Security checks
 9          run: |
10            FAILED=false
11            
12            # Block MD5/SHA1 for security (allow for checksums/caching)
13            WEAK_CRYPTO=$(grep -rE 'md5\(|sha1\(' --include="*.py" --include="*.rb" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" . 2>/dev/null | grep -v 'checksum\|cache\|test\|spec' | head -5 || true)
14            if [ -n "$WEAK_CRYPTO" ]; then
15              echo "⚠️ Weak crypto (MD5/SHA1) detected. Use SHA256+ for security:"
16              echo "$WEAK_CRYPTO"
17            fi
18            
19            # Block HTTP URLs (except localhost)
20            HTTP_URLS=$(grep -rE 'http://[^l][^o][^c]' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v 'localhost\|127.0.0.1\|example\|test\|spec' | head -5 || true)
21            if [ -n "$HTTP_URLS" ]; then
22              echo "⚠️ HTTP URLs found. Use HTTPS:"
23              echo "$HTTP_URLS"
24            fi
25            
26            # Block hardcoded secrets patterns
27            SECRETS=$(grep -rEi '(api_key|apikey|secret_key|password)\s*[=:]\s*["\x27][A-Za-z0-9+/=]{20,}' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.env" . 2>/dev/null | grep -v 'example\|sample\|test\|mock\|placeholder' | head -3 || true)
28            if [ -n "$SECRETS" ]; then
29              echo "❌ Potential hardcoded secrets detected!"
30              FAILED=true
31            fi
32            
33            if [ "$FAILED" = true ]; then
34              exit 1
35            fi
36            
37            echo "✅ Security policy check passed"