feat(social): bridge sh1pt → crawlproof.com connected accounts #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: vu1nz security scan | |
| on: | |
| pull_request: | |
| push: | |
| branches: [master] | |
| permissions: | |
| contents: read | |
| actions: read | |
| pull-requests: write | |
| jobs: | |
| scan: | |
| name: Scan CI/CD for vulnerabilities | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install vu1nz | |
| run: pip install --quiet git+https://github.com/profullstack/vu1nz-gh-actions.git | |
| - name: Scan workflows | |
| id: scan | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| vu1nz actions scan ${{ github.repository }} \ | |
| --token "$GITHUB_TOKEN" \ | |
| --json \ | |
| 2>&1 | tee "$RUNNER_TEMP/vu1nz-scan.json" | |
| - name: Evaluate findings | |
| id: eval | |
| run: | | |
| python3 << 'PYEOF' | |
| import json, os, sys | |
| scan_file = os.environ.get("RUNNER_TEMP", "") + "/vu1nz-scan.json" | |
| try: | |
| with open(scan_file) as f: | |
| data = json.load(f) | |
| except Exception as e: | |
| print(f"::warning::Could not parse scan results: {e}") | |
| sys.exit(0) | |
| findings = data.get("findings", []) | |
| counts = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0} | |
| for f in findings: | |
| sev = f.get("severity", "").lower() | |
| if sev in counts: | |
| counts[sev] += 1 | |
| total = len(findings) | |
| has_hc = counts["critical"] > 0 or counts["high"] > 0 | |
| parts = [f"**{total} findings**"] | |
| for sev in ("critical", "high", "medium", "low"): | |
| if counts[sev] > 0: | |
| parts.append(f"{sev}: {counts[sev]}") | |
| summary = " | ".join(parts) | |
| with open(os.environ.get("GITHUB_OUTPUT", ""), "a") as out: | |
| out.write(f"total={total}\n") | |
| out.write(f"has_high_critical={'true' if has_hc else 'false'}\n") | |
| out.write(f"summary={summary}\n") | |
| if has_hc: | |
| print(f"::error::vu1nz found high/critical CI/CD vulnerabilities") | |
| sys.exit(1) | |
| print(f"::notice::{summary}") | |
| PYEOF | |
| - name: Comment on PR | |
| if: github.event_name == 'pull_request' && always() | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const summary = `${{ steps.eval.outputs.summary || 'Scan completed.' }}`; | |
| const hasHC = '${{ steps.eval.outputs.has_high_critical }}' === 'true'; | |
| let body = `## vu1nz CI/CD Security Scan\n\n${summary}\n\n`; | |
| if (hasHC) { | |
| body += '**High or critical findings detected — review before merging.**\n\n'; | |
| } | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| }); | |
| const existing = comments.find(c => | |
| c.user.type === 'Bot' && c.body.includes('vu1nz CI/CD Security Scan') | |
| ); | |
| if (existing) { | |
| await github.rest.issues.updateComment({ | |
| comment_id: existing.id, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body, | |
| }); | |
| } else { | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body, | |
| }); | |
| } |