Release #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AI-Powered Security Vulnerability Scanner | |
| # Scans all committed changes for security vulnerabilities using Gemini AI | |
| # Focuses on WordPress-specific security issues: SQL injection, XSS, CSRF, etc. | |
| name: Gemini Security Scan | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| workflow_dispatch: | |
| # Cancel previous workflow runs for the same branch | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| issues: write | |
| pull-requests: write | |
| jobs: | |
| security-scan: | |
| name: AI Security Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v46 | |
| with: | |
| files: | | |
| **/*.php | |
| **/*.js | |
| **/*.sql | |
| separator: "\n" | |
| - name: Run Gemini Security Analysis | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: google-github-actions/run-gemini-cli@v0.1.10 | |
| env: | |
| CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
| GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} | |
| - name: Create Security Issue on Critical Findings | |
| if: failure() | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const title = `🚨 Critical Security Vulnerabilities Detected - ${context.sha.substring(0, 7)}`; | |
| const body = ` | |
| ## Security Scan Results | |
| Critical security vulnerabilities have been detected in recent changes. | |
| **Commit:** ${context.sha} | |
| **Branch:** ${context.ref} | |
| **Triggered by:** ${context.eventName} | |
| Please review the workflow logs for detailed findings and remediation steps. | |
| **Workflow Run:** ${context.payload.repository.html_url}/actions/runs/${context.runId} | |
| ## Immediate Actions Required: | |
| 1. Review the security findings in the workflow logs | |
| 2. Fix all critical and high-severity issues | |
| 3. Test fixes thoroughly | |
| 4. Re-run security scan to verify fixes | |
| **⚠️ Do not merge this PR until all security issues are resolved.** | |
| `; | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: title, | |
| body: body, | |
| labels: ['security', 'bug', 'critical'] | |
| }); |