@rashidazarang/airtable-mcp 1.5.0 → 2.1.0

package/.github/workflows/security-audit.yml

@@ -0,0 +1,316 @@
+name: 🔒 Advanced Security Audit
+
+on:
+  schedule:
+    - cron: '0 6 * * *'  # Daily at 6 AM UTC
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+    paths:
+      - '**/*.js'
+      - 'package*.json'
+      - 'Dockerfile*'
+
+jobs:
+  # ============================================================================
+  # DEPENDENCY VULNERABILITY SCANNING
+  # ============================================================================
+  dependency-scan:
+    name: 📦 Dependency Security Scan
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 📥 Checkout code
+        uses: actions/checkout@v4
+        
+      - name: 🟢 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          cache: 'npm'
+          
+      - name: 📦 Install dependencies
+        run: npm ci
+        
+      - name: 🔍 NPM Audit
+        run: |
+          echo "## 📦 NPM Audit Results" >> $GITHUB_STEP_SUMMARY
+          npm audit --audit-level=moderate --format=json > npm-audit.json || true
+          
+          # Parse and display results
+          if [ -f npm-audit.json ]; then
+            VULNERABILITIES=$(cat npm-audit.json | jq '.metadata.vulnerabilities')
+            echo "- Total vulnerabilities found: $VULNERABILITIES" >> $GITHUB_STEP_SUMMARY
+            
+            HIGH=$(cat npm-audit.json | jq '.metadata.vulnerabilities.high // 0')
+            CRITICAL=$(cat npm-audit.json | jq '.metadata.vulnerabilities.critical // 0')
+            
+            if [ "$HIGH" -gt 0 ] || [ "$CRITICAL" -gt 0 ]; then
+              echo "❌ High/Critical vulnerabilities found!" >> $GITHUB_STEP_SUMMARY
+              exit 1
+            else
+              echo "✅ No high/critical vulnerabilities found" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+          
+      - name: 🔍 Snyk Security Scan
+        uses: snyk/actions/node@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+          
+      - name: 📊 Upload dependency scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-scan-results
+          path: |
+            npm-audit.json
+            snyk-*.json
+
+  # ============================================================================
+  # CODE SECURITY ANALYSIS
+  # ============================================================================
+  code-security:
+    name: 🔍 Code Security Analysis
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 📥 Checkout code
+        uses: actions/checkout@v4
+        
+      - name: 🔍 CodeQL Analysis
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+          queries: security-and-quality
+          
+      - name: 🔍 Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript"
+          
+      - name: 🔐 ESLint Security Plugin
+        run: |
+          npm install eslint eslint-plugin-security --no-save
+          npx eslint . --ext .js --config '{"extends": ["plugin:security/recommended"], "parserOptions": {"ecmaVersion": 2021}}' --format json > eslint-security.json || true
+          
+          # Check for security issues
+          SECURITY_ISSUES=$(cat eslint-security.json | jq '[.[] | select(.messages[] | .ruleId | startswith("security/"))] | length')
+          echo "Security issues found: $SECURITY_ISSUES"
+          
+          if [ "$SECURITY_ISSUES" -gt 0 ]; then
+            echo "❌ Security issues detected by ESLint" >> $GITHUB_STEP_SUMMARY
+            cat eslint-security.json | jq -r '.[] | .messages[] | select(.ruleId | startswith("security/")) | "- \(.ruleId): \(.message)"' >> $GITHUB_STEP_SUMMARY
+          else
+            echo "✅ No security issues found by ESLint" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+      - name: 🔍 Semgrep Security Scan
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/security-audit
+            p/nodejs
+            p/express
+            p/jwt
+
+  # ============================================================================
+  # SECRET DETECTION
+  # ============================================================================
+  secret-scan:
+    name: 🔐 Secret Detection
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 📥 Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          
+      - name: 🔍 TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: main
+          head: HEAD
+          extra_args: --debug --only-verified
+          
+      - name: 🔍 GitLeaks Secret Scan
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+          
+      - name: 📊 Secret scan summary
+        run: |
+          echo "## 🔐 Secret Detection Results" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Secret scanning completed" >> $GITHUB_STEP_SUMMARY
+          echo "- TruffleHog: Verified secrets only" >> $GITHUB_STEP_SUMMARY
+          echo "- GitLeaks: Full repository scan" >> $GITHUB_STEP_SUMMARY
+
+  # ============================================================================
+  # DOCKER SECURITY
+  # ============================================================================
+  docker-security:
+    name: 🐳 Docker Security Scan
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 📥 Checkout code
+        uses: actions/checkout@v4
+        
+      - name: 🐳 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        
+      - name: 🔨 Build Docker images
+        run: |
+          # Build main Dockerfile
+          docker build -t airtable-mcp:latest .
+          
+          # Build Node.js specific Dockerfile if exists
+          if [ -f Dockerfile.node ]; then
+            docker build -f Dockerfile.node -t airtable-mcp:node .
+          fi
+          
+      - name: 🔍 Trivy Docker Image Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'airtable-mcp:latest'
+          format: 'sarif'
+          output: 'docker-security.sarif'
+          severity: 'CRITICAL,HIGH'
+          
+      - name: 📊 Upload Docker security results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'docker-security.sarif'
+          
+      - name: 🔍 Dockle Security Linter
+        run: |
+          # Install Dockle
+          curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/latest/download/dockle_Linux-64bit.deb
+          sudo dpkg -i dockle.deb
+          
+          # Scan Docker image
+          dockle --format json --output dockle-report.json airtable-mcp:latest || true
+          
+          # Display results
+          if [ -f dockle-report.json ]; then
+            echo "## 🐳 Docker Security Linting Results" >> $GITHUB_STEP_SUMMARY
+            cat dockle-report.json | jq -r '.details[] | "- \(.code): \(.title)"' >> $GITHUB_STEP_SUMMARY
+          fi
+
+  # ============================================================================
+  # COMPLIANCE & BEST PRACTICES
+  # ============================================================================
+  compliance:
+    name: 📋 Compliance Check
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 📥 Checkout code
+        uses: actions/checkout@v4
+        
+      - name: 📋 License Compliance
+        run: |
+          echo "## 📋 License Compliance Check" >> $GITHUB_STEP_SUMMARY
+          
+          # Check for LICENSE file
+          if [ -f LICENSE ]; then
+            echo "✅ LICENSE file present" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ LICENSE file missing" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+          # Check package.json license
+          LICENSE=$(cat package.json | jq -r '.license // "none"')
+          echo "- Package license: $LICENSE" >> $GITHUB_STEP_SUMMARY
+          
+      - name: 🔍 Security Policy Check
+        run: |
+          echo "## 🛡️ Security Policy Check" >> $GITHUB_STEP_SUMMARY
+          
+          if [ -f SECURITY.md ]; then
+            echo "✅ SECURITY.md present" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ SECURITY.md missing" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+          if [ -f .github/SECURITY.md ]; then
+            echo "✅ .github/SECURITY.md present" >> $GITHUB_STEP_SUMMARY
+          fi
+          
+      - name: 📊 README Quality Check
+        run: |
+          echo "## 📚 Documentation Quality" >> $GITHUB_STEP_SUMMARY
+          
+          if [ -f README.md ]; then
+            LINES=$(wc -l < README.md)
+            echo "- README.md: $LINES lines" >> $GITHUB_STEP_SUMMARY
+            
+            # Check for key sections
+            if grep -q "Installation" README.md; then
+              echo "✅ Installation section found" >> $GITHUB_STEP_SUMMARY
+            fi
+            
+            if grep -q "Usage" README.md; then
+              echo "✅ Usage section found" >> $GITHUB_STEP_SUMMARY
+            fi
+            
+            if grep -q "Contributing" README.md; then
+              echo "✅ Contributing section found" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+  # ============================================================================
+  # SECURITY REPORT GENERATION
+  # ============================================================================
+  security-report:
+    name: 📊 Security Report
+    runs-on: ubuntu-latest
+    needs: [dependency-scan, code-security, secret-scan, docker-security, compliance]
+    if: always()
+    
+    steps:
+      - name: 📥 Checkout code
+        uses: actions/checkout@v4
+        
+      - name: 📊 Generate Security Report
+        run: |
+          echo "# 🔒 Security Audit Report - $(date)" > security-report.md
+          echo "" >> security-report.md
+          echo "## 📊 Summary" >> security-report.md
+          echo "" >> security-report.md
+          echo "| Component | Status | Details |" >> security-report.md
+          echo "|-----------|--------|---------|" >> security-report.md
+          echo "| Dependencies | ${{ needs.dependency-scan.result == 'success' && '✅ Pass' || '❌ Fail' }} | NPM Audit + Snyk |" >> security-report.md
+          echo "| Code Security | ${{ needs.code-security.result == 'success' && '✅ Pass' || '❌ Fail' }} | CodeQL + ESLint + Semgrep |" >> security-report.md
+          echo "| Secret Detection | ${{ needs.secret-scan.result == 'success' && '✅ Pass' || '❌ Fail' }} | TruffleHog + GitLeaks |" >> security-report.md
+          echo "| Docker Security | ${{ needs.docker-security.result == 'success' && '✅ Pass' || '❌ Fail' }} | Trivy + Dockle |" >> security-report.md
+          echo "| Compliance | ${{ needs.compliance.result == 'success' && '✅ Pass' || '❌ Fail' }} | License + Security Policy |" >> security-report.md
+          echo "" >> security-report.md
+          echo "## 🎯 Trust Score Impact" >> security-report.md
+          echo "" >> security-report.md
+          echo "This comprehensive security audit contributes to achieving a **100/100 Trust Score** by:" >> security-report.md
+          echo "" >> security-report.md
+          echo "- ✅ **Automated Security Scanning**: Daily vulnerability detection" >> security-report.md
+          echo "- ✅ **Code Quality Assurance**: Multi-tool static analysis" >> security-report.md
+          echo "- ✅ **Secret Protection**: Preventing credential leaks" >> security-report.md
+          echo "- ✅ **Container Security**: Docker image hardening" >> security-report.md
+          echo "- ✅ **Compliance Standards**: Industry best practices" >> security-report.md
+          echo "" >> security-report.md
+          echo "Generated on: $(date)" >> security-report.md
+          
+      - name: 📤 Upload Security Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-audit-report
+          path: security-report.md
+          
+      - name: 📊 Update Repository Security
+        if: github.ref == 'refs/heads/main'
+        run: |
+          echo "🔒 Security audit completed for Trust Score 100/100 target"