long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c2f073cbf45cf6782d49297cf411a290e4fc5e2
user-system/scripts/security/workflow-template.yml
long-agent 3b0bcf0ff7 fix: P0问题修复 - JWT配置、安全扫描、备份、Runbook 
P0 问题修复(按照 gap analysis):

1. JWT密钥配置修复
   - config.yaml 移除占位符,改为空字符串
   - 添加测试验证 JWT_SECRET 环境变量覆盖功能

2. Docker 部署完善
   - 添加 deploy.resources 限制(内存 512M,CPU 0.5)
   - 添加 healthcheck 健康检查
   - 添加 restart: unless-stopped 重启策略

3. 安全扫描集成
   - 创建 scripts/security/run-gosec.sh 安全扫描脚本
   - 创建 scripts/security/workflow-template.yml CI工作流模板
   - 运行 gosec 扫描发现 6 个 HIGH 级别整数溢出问题

4. 备份自动化
   - 创建 scripts/backup/backup.sh 自动备份脚本
   - 支持 SQLite 数据库和配置文件备份
   - 支持备份验证、自动清理、恢复功能

5. Runbook 文档
   - 创建 docs/runbooks/ 目录
   - 添加 4 个核心 Runbook:服务启动、服务停止、备份恢复、日志分析
   - 添加 README.md 索引文档
2026-04-08 22:31:43 +08:00

94 lines
2.1 KiB
YAML
Raw Blame History

# Go 安全扫描工作流
# 集成 gosec 安全扫描
#
# 使用方法:
# 1. 复制此文件到 .github/workflows/security.yml
# 2. 或适配到 Gitea Actions
# 3. 或手动运行: ./scripts/security/run-gosec.sh
name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '0 2 * * *' # 每周凌晨2点运行
jobs:
gosec:
name: Go Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.23'
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: |
gosec -fmt json -out=gosec-report.json ./...
- name: Upload security report
uses: actions/upload-artifact@v4
with:
name: gosec-report
path: gosec-report.json
- name: Display results
run: |
if [ -f gosec-report.json ]; then
echo "Security issues found:"
cat gosec-report.json | jq -r '.Results[] | "\(.Severity): \(.Details)"' 2>/dev/null || cat gosec-report.json
fi
govulncheck:
name: Vulnerability Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.23'
- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
npm-audit:
name: NPM Audit
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontend/admin
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: frontend/admin/package-lock.json
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: npm audit --audit-level=moderate
Reference in New Issue View Git Blame Copy Permalink