Skip to content
Gemini Security Scan

Test #19

Sign in to view logs

Test

Test #19

Workflow file for this run

.github/workflows/gemini-security-scan.yml at 8e6158f
# AI-Powered Security Vulnerability Scanner
# Scans all committed changes for security vulnerabilities using Gemini AI
# Focuses on WordPress-specific security issues: SQL injection, XSS, CSRF, etc.
name: Gemini Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch:
# Cancel previous workflow runs for the same branch
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
issues: write
pull-requests: write
actions: read
jobs:
security-scan:
name: AI Security Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v46
with:
files: |
**/*.php
**/*.js
**/*.sql
separator: "\n"
- name: Run Gemini Security Analysis
if: steps.changed-files.outputs.any_changed == 'true'
env:
CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
npx @google/gemini-cli@latest --prompt "
You are a WordPress security expert with deep knowledge of plugin vulnerabilities.
SECURITY SCAN INSTRUCTIONS:
Analyze the following code changes for security vulnerabilities. Focus on:
πŸ”΄ CRITICAL SECURITY ISSUES:
- SQL Injection: Check for unsanitized database queries, missing prepared statements
- Cross-Site Scripting (XSS): Look for unescaped output, missing esc_html/esc_attr
- Cross-Site Request Forgery (CSRF): Verify nonce usage in forms and AJAX
- Authentication Bypass: Check user capability validation
- File Upload Vulnerabilities: Verify file type and size validation
- Directory Traversal: Look for path manipulation vulnerabilities
- Code Injection: Check for eval(), exec(), system() usage
🟑 WORDPRESS-SPECIFIC SECURITY:
- Proper use of WordPress sanitization functions
- Correct capability checks (current_user_can)
- WordPress nonce verification
- Proper use of wpdb prepared statements
- Validation of user input and file uploads
- Secure handling of options and meta data
🟒 BEST PRACTICES:
- Input validation and sanitization
- Output escaping and encoding
- Secure API endpoint implementation
- Proper error handling without information disclosure
For each issue found:
1. Specify the exact file and line number
2. Explain the vulnerability type and risk level
3. Provide secure code recommendations
4. Reference WordPress Codex security guidelines
If no vulnerabilities are found, confirm the code follows WordPress security standards.
FILES TO ANALYZE:
$CHANGED_FILES
" > security-analysis.txt
- name: Post Security Analysis Summary
if: steps.changed-files.outputs.any_changed == 'true'
uses: actions/github-script@v7
env:
CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const changedFiles = process.env.CHANGED_FILES;
let analysisContent = 'No analysis output found.';
try {
if (fs.existsSync('security-analysis.txt')) {
analysisContent = fs.readFileSync('security-analysis.txt', 'utf8');
}
} catch (error) {
console.log('Error reading analysis file:', error);
analysisContent = 'Error reading security analysis results.';
}
const title = `πŸ”’ Security Analysis Report - ${context.sha.substring(0, 7)}`;
const body = `
## πŸ›‘οΈ WordPress Security Analysis Results
**Repository:** ${context.repo.owner}/${context.repo.repo}
**Commit:** ${context.sha}
**Branch:** ${context.ref}
**Files Analyzed:** ${changedFiles}
**Analysis Date:** ${new Date().toISOString()}
---
### πŸ€– AI Security Expert Findings
${analysisContent}
---
### πŸ“‹ Next Steps
- Review any security issues identified above
- Address critical and high-severity findings immediately
- Test all security-related changes thoroughly
- Consider implementing additional security measures if recommended
**Workflow Run:** ${context.payload.repository.html_url}/actions/runs/${context.runId}
`;
// Create issue for security analysis
try {
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: title,
body: body,
labels: ['security-analysis', 'ai-generated', 'needs-review']
});
console.log('βœ… Security analysis issue created successfully');
} catch (error) {
console.log('⚠️ Could not create issue, writing to workflow summary instead');
await core.summary
.addHeading('πŸ”’ Security Analysis Report')
.addRaw(body)
.write();
}
- name: Create Security Issue on Critical Findings
if: failure()
uses: actions/github-script@v7
with:
script: |
const title = `🚨 Critical Security Vulnerabilities Detected - ${context.sha.substring(0, 7)}`;
const body = `
## Security Scan Results
Critical security vulnerabilities have been detected in recent changes.
**Commit:** ${context.sha}
**Branch:** ${context.ref}
**Triggered by:** ${context.eventName}
Please review the workflow logs for detailed findings and remediation steps.
**Workflow Run:** ${context.payload.repository.html_url}/actions/runs/${context.runId}
## Immediate Actions Required:
1. Review the security findings in the workflow logs
2. Fix all critical and high-severity issues
3. Test fixes thoroughly
4. Re-run security scan to verify fixes
**⚠️ Do not merge this PR until all security issues are resolved.**
`;
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: title,
body: body,
labels: ['security', 'bug', 'critical']
});