name: Quarterly Security Audit on: schedule: # Run at 08:00 UTC on the first day of each quarter (Jan, Apr, Jul, Oct) - cron: '0 8 1 1,4,7,10 *' workflow_dispatch: inputs: reason: description: 'Reason for manual trigger' required: false default: 'Manual quarterly audit' permissions: issues: write contents: read jobs: create-audit-issue: name: Create quarterly security audit issue runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Get quarter info id: quarter run: | MONTH=$(date +%-m) YEAR=$(date +%Y) QUARTER=$(( (MONTH - 1) / 3 + 1 )) echo "quarter=Q${QUARTER}-${YEAR}" >> "$GITHUB_OUTPUT" echo "year=${YEAR}" >> "$GITHUB_OUTPUT" echo "q=${QUARTER}" >> "$GITHUB_OUTPUT" - name: Create audit issue env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | QUARTER="${{ steps.quarter.outputs.quarter }}" gh issue create \ --title "[$QUARTER] Quarterly Security Audit" \ --label "security,audit" \ --body "$(cat <<'BODY' ## Quarterly Security Audit — ${{ steps.quarter.outputs.quarter }} This is the scheduled quarterly security audit for the hermes-agent project. Complete each section and close this issue when the audit is done. **Audit Period:** ${{ steps.quarter.outputs.quarter }} **Due:** End of quarter **Owner:** Assign to a maintainer --- ## 1. Open Issues & PRs Audit Review all open issues and PRs for security-relevant content. Tag any that touch attack surfaces with the `security` label. - [ ] Review open issues older than 30 days for unaddressed security concerns - [ ] Tag security-relevant open PRs with `needs-security-review` - [ ] Check for any issues referencing CVEs or known vulnerabilities - [ ] Review recently closed security issues — are fixes deployed? ## 2. Dependency Audit - [ ] Run `pip-audit` against current `requirements.txt` / `pyproject.toml` - [ ] Check `uv.lock` for any pinned versions with known CVEs - [ ] Review any `git+` dependencies for recent changes or compromise signals - [ ] Update vulnerable dependencies and open PRs for each ## 3. Critical Path Review Review recent changes to attack-surface paths: - [ ] `gateway/` — authentication, message routing, platform adapters - [ ] `tools/` — file I/O, command execution, web access - [ ] `agent/` — prompt handling, context management - [ ] `config/` — secrets loading, configuration parsing - [ ] `.github/workflows/` — CI/CD integrity Run: `git log --since="3 months ago" --name-only -- gateway/ tools/ agent/ config/ .github/workflows/` ## 4. Secret Scan - [ ] Run secret scanner on the full codebase (not just diffs) - [ ] Verify no credentials are present in git history - [ ] Confirm all API keys/tokens in use are rotated on a regular schedule ## 5. Access & Permissions Review - [ ] Review who has write access to the main branch - [ ] Confirm branch protection rules are still in place (require PR + review) - [ ] Verify CI/CD secrets are scoped correctly (not over-permissioned) - [ ] Review CODEOWNERS file for accuracy ## 6. Vulnerability Triage List any new vulnerabilities found this quarter: | ID | Component | Severity | Status | Owner | |----|-----------|----------|--------|-------| | | | | | | ## 7. Action Items | Action | Owner | Due Date | Status | |--------|-------|----------|--------| | | | | | --- *Auto-generated by [quarterly-security-audit](/.github/workflows/quarterly-security-audit.yml). Close this issue when the audit is complete.* BODY )"