115 lines
4.0 KiB
YAML
115 lines
4.0 KiB
YAML
name: Quarterly Security Audit
|
|
|
|
on:
|
|
schedule:
|
|
# Run at 08:00 UTC on the first day of each quarter (Jan, Apr, Jul, Oct)
|
|
- cron: '0 8 1 1,4,7,10 *'
|
|
workflow_dispatch:
|
|
inputs:
|
|
reason:
|
|
description: 'Reason for manual trigger'
|
|
required: false
|
|
default: 'Manual quarterly audit'
|
|
|
|
permissions:
|
|
issues: write
|
|
contents: read
|
|
|
|
jobs:
|
|
create-audit-issue:
|
|
name: Create quarterly security audit issue
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Get quarter info
|
|
id: quarter
|
|
run: |
|
|
MONTH=$(date +%-m)
|
|
YEAR=$(date +%Y)
|
|
QUARTER=$(( (MONTH - 1) / 3 + 1 ))
|
|
echo "quarter=Q${QUARTER}-${YEAR}" >> "$GITHUB_OUTPUT"
|
|
echo "year=${YEAR}" >> "$GITHUB_OUTPUT"
|
|
echo "q=${QUARTER}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Create audit issue
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
QUARTER="${{ steps.quarter.outputs.quarter }}"
|
|
|
|
gh issue create \
|
|
--title "[$QUARTER] Quarterly Security Audit" \
|
|
--label "security,audit" \
|
|
--body "$(cat <<'BODY'
|
|
## Quarterly Security Audit — ${{ steps.quarter.outputs.quarter }}
|
|
|
|
This is the scheduled quarterly security audit for the hermes-agent project. Complete each section and close this issue when the audit is done.
|
|
|
|
**Audit Period:** ${{ steps.quarter.outputs.quarter }}
|
|
**Due:** End of quarter
|
|
**Owner:** Assign to a maintainer
|
|
|
|
---
|
|
|
|
## 1. Open Issues & PRs Audit
|
|
|
|
Review all open issues and PRs for security-relevant content. Tag any that touch attack surfaces with the `security` label.
|
|
|
|
- [ ] Review open issues older than 30 days for unaddressed security concerns
|
|
- [ ] Tag security-relevant open PRs with `needs-security-review`
|
|
- [ ] Check for any issues referencing CVEs or known vulnerabilities
|
|
- [ ] Review recently closed security issues — are fixes deployed?
|
|
|
|
## 2. Dependency Audit
|
|
|
|
- [ ] Run `pip-audit` against current `requirements.txt` / `pyproject.toml`
|
|
- [ ] Check `uv.lock` for any pinned versions with known CVEs
|
|
- [ ] Review any `git+` dependencies for recent changes or compromise signals
|
|
- [ ] Update vulnerable dependencies and open PRs for each
|
|
|
|
## 3. Critical Path Review
|
|
|
|
Review recent changes to attack-surface paths:
|
|
|
|
- [ ] `gateway/` — authentication, message routing, platform adapters
|
|
- [ ] `tools/` — file I/O, command execution, web access
|
|
- [ ] `agent/` — prompt handling, context management
|
|
- [ ] `config/` — secrets loading, configuration parsing
|
|
- [ ] `.github/workflows/` — CI/CD integrity
|
|
|
|
Run: `git log --since="3 months ago" --name-only -- gateway/ tools/ agent/ config/ .github/workflows/`
|
|
|
|
## 4. Secret Scan
|
|
|
|
- [ ] Run secret scanner on the full codebase (not just diffs)
|
|
- [ ] Verify no credentials are present in git history
|
|
- [ ] Confirm all API keys/tokens in use are rotated on a regular schedule
|
|
|
|
## 5. Access & Permissions Review
|
|
|
|
- [ ] Review who has write access to the main branch
|
|
- [ ] Confirm branch protection rules are still in place (require PR + review)
|
|
- [ ] Verify CI/CD secrets are scoped correctly (not over-permissioned)
|
|
- [ ] Review CODEOWNERS file for accuracy
|
|
|
|
## 6. Vulnerability Triage
|
|
|
|
List any new vulnerabilities found this quarter:
|
|
|
|
| ID | Component | Severity | Status | Owner |
|
|
|----|-----------|----------|--------|-------|
|
|
| | | | | |
|
|
|
|
## 7. Action Items
|
|
|
|
| Action | Owner | Due Date | Status |
|
|
|--------|-------|----------|--------|
|
|
| | | | |
|
|
|
|
---
|
|
|
|
*Auto-generated by [quarterly-security-audit](/.github/workflows/quarterly-security-audit.yml). Close this issue when the audit is complete.*
|
|
BODY
|
|
)"
|