ci(security): add self-test harness (mirror of fai/platform)
Some checks failed
Security / Security check (push) Has been cancelled

18 scenarios that verify the security script's rules still
trip on every tripwire — PATs, AWS keys, PEM headers, env
files, allowlist exempts, confidentiality terms, marketing
phrases, .security-allow exclusion, plus message-mode
(Conventional Commits, DCO, Claude trailer, banned phrases).

Wired into the security workflow as a second-line gate after
the diff-based check. Catches the refactor-weakens-a-rule
class of regression: the diff scan can be green while a rule
silently no-ops; the harness fails loudly when that happens.

Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
flemming-it 2026-05-10 21:41:23 +02:00
parent 7416c34d7c
commit 3dede6d7d8
2 changed files with 225 additions and 0 deletions

View file

@ -43,3 +43,9 @@ jobs:
BASE="origin/$GITHUB_BASE_REF"
fi
bash tools/security/check-staged.sh ci "$BASE"
- name: Security script self-test
# Verifies every rule still trips on its tripwire — catches
# the case where a refactor of the script silently weakens
# a check.
run: bash tools/security/test-check-staged.sh