scripts/security/workflow-template.yml

# Go 安全扫描工作流
# 集成 gosec 安全扫描
#
# 使用方法:
#   1. 复制此文件到 .github/workflows/security.yml
#   2. 或适配到 Gitea Actions
#   3. 或手动运行: ./scripts/security/run-gosec.sh

name: Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 2 * * *'  # 每周凌晨2点运行

jobs:
  gosec:
    name: Go Security Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.23'

      - name: Install gosec
        run: go install github.com/securego/gosec/v2/cmd/gosec@latest

      - name: Run gosec
        run: |
          gosec -fmt json -out=gosec-report.json ./...

      - name: Upload security report
        uses: actions/upload-artifact@v4
        with:
          name: gosec-report
          path: gosec-report.json

      - name: Display results
        run: |
          if [ -f gosec-report.json ]; then
            echo "Security issues found:"
            cat gosec-report.json | jq -r '.Results[] | "\(.Severity): \(.Details)"' 2>/dev/null || cat gosec-report.json
          fi

  govulncheck:
    name: Vulnerability Check
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.23'

      - name: Run govulncheck
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          govulncheck ./...

  npm-audit:
    name: NPM Audit
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: frontend/admin

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
          cache-dependency-path: frontend/admin/package-lock.json

      - name: Install dependencies
        run: npm ci

      - name: Run npm audit
        run: npm audit --audit-level=moderate
fix: P0问题修复 - JWT配置、安全扫描、备份、Runbook P0 问题修复（按照 gap analysis）： 1. JWT密钥配置修复 - config.yaml 移除占位符，改为空字符串 - 添加测试验证 JWT_SECRET 环境变量覆盖功能 2. Docker 部署完善 - 添加 deploy.resources 限制（内存 512M，CPU 0.5） - 添加 healthcheck 健康检查 - 添加 restart: unless-stopped 重启策略 3. 安全扫描集成 - 创建 scripts/security/run-gosec.sh 安全扫描脚本 - 创建 scripts/security/workflow-template.yml CI工作流模板 - 运行 gosec 扫描发现 6 个 HIGH 级别整数溢出问题 4. 备份自动化 - 创建 scripts/backup/backup.sh 自动备份脚本 - 支持 SQLite 数据库和配置文件备份 - 支持备份验证、自动清理、恢复功能 5. Runbook 文档 - 创建 docs/runbooks/ 目录 - 添加 4 个核心 Runbook：服务启动、服务停止、备份恢复、日志分析 - 添加 README.md 索引文档 2026-04-08 22:31:43 +08:00			`# Go 安全扫描工作流`
			`# 集成 gosec 安全扫描`
			`#`
			`# 使用方法:`
			`# 1. 复制此文件到 .github/workflows/security.yml`
			`# 2. 或适配到 Gitea Actions`
			`# 3. 或手动运行: ./scripts/security/run-gosec.sh`

			`name: Security Scan`

			`on:`
			`push:`
			`branches: [main, develop]`
			`pull_request:`
			`branches: [main]`
			`schedule:`
			`- cron: '0 2 * * *' # 每周凌晨2点运行`

			`jobs:`
			`gosec:`
			`name: Go Security Scan`
			`runs-on: ubuntu-latest`

			`steps:`
			`- name: Checkout code`
			`uses: actions/checkout@v4`

			`- name: Set up Go`
			`uses: actions/setup-go@v5`
			`with:`
			`go-version: '1.23'`

			`- name: Install gosec`
			`run: go install github.com/securego/gosec/v2/cmd/gosec@latest`

			`- name: Run gosec`
			`run: \|`
			`gosec -fmt json -out=gosec-report.json ./...`

			`- name: Upload security report`
			`uses: actions/upload-artifact@v4`
			`with:`
			`name: gosec-report`
			`path: gosec-report.json`

			`- name: Display results`
			`run: \|`
			`if [ -f gosec-report.json ]; then`
			`echo "Security issues found:"`
			`cat gosec-report.json \| jq -r '.Results[] \| "\(.Severity): \(.Details)"' 2>/dev/null \|\| cat gosec-report.json`
			`fi`

			`govulncheck:`
			`name: Vulnerability Check`
			`runs-on: ubuntu-latest`

			`steps:`
			`- name: Checkout code`
			`uses: actions/checkout@v4`

			`- name: Set up Go`
			`uses: actions/setup-go@v5`
			`with:`
			`go-version: '1.23'`

			`- name: Run govulncheck`
			`run: \|`
			`go install golang.org/x/vuln/cmd/govulncheck@latest`
			`govulncheck ./...`

			`npm-audit:`
			`name: NPM Audit`
			`runs-on: ubuntu-latest`
			`defaults:`
			`run:`
			`working-directory: frontend/admin`

			`steps:`
			`- name: Checkout code`
			`uses: actions/checkout@v4`

			`- name: Set up Node.js`
			`uses: actions/setup-node@v4`
			`with:`
			`node-version: '20'`
			`cache: 'npm'`
			`cache-dependency-path: frontend/admin/package-lock.json`

			`- name: Install dependencies`
			`run: npm ci`

			`- name: Run npm audit`
			`run: npm audit --audit-level=moderate`