ci(security): add self-test harness (mirror of fai/platform)
Some checks failed
Security / Security check (push) Has been cancelled
Some checks failed
Security / Security check (push) Has been cancelled
18 scenarios that verify the security script's rules still trip on every tripwire — PATs, AWS keys, PEM headers, env files, allowlist exempts, confidentiality terms, marketing phrases, .security-allow exclusion, plus message-mode (Conventional Commits, DCO, Claude trailer, banned phrases). Wired into the security workflow as a second-line gate after the diff-based check. Catches the refactor-weakens-a-rule class of regression: the diff scan can be green while a rule silently no-ops; the harness fails loudly when that happens. Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
parent
8e378d4fc2
commit
ab2205466a
2 changed files with 225 additions and 0 deletions
|
|
@ -43,3 +43,9 @@ jobs:
|
|||
BASE="origin/$GITHUB_BASE_REF"
|
||||
fi
|
||||
bash tools/security/check-staged.sh ci "$BASE"
|
||||
|
||||
- name: Security script self-test
|
||||
# Verifies every rule still trips on its tripwire — catches
|
||||
# the case where a refactor of the script silently weakens
|
||||
# a check.
|
||||
run: bash tools/security/test-check-staged.sh
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue