@rashidazarang/airtable-mcp 2.1.0 → 2.2.0

package/.github/workflows/security-audit.yml

@@ -1,316 +0,0 @@
-name: 🔒 Advanced Security Audit
-
-on:
-  schedule:
-    - cron: '0 6 * * *'  # Daily at 6 AM UTC
-  workflow_dispatch:
-  push:
-    branches: [ main ]
-    paths:
-      - '**/*.js'
-      - 'package*.json'
-      - 'Dockerfile*'
-
-jobs:
-  # ============================================================================
-  # DEPENDENCY VULNERABILITY SCANNING
-  # ============================================================================
-  dependency-scan:
-    name: 📦 Dependency Security Scan
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: 📥 Checkout code
-        uses: actions/checkout@v4
-        
-      - name: 🟢 Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '18'
-          cache: 'npm'
-          
-      - name: 📦 Install dependencies
-        run: npm ci
-        
-      - name: 🔍 NPM Audit
-        run: |
-          echo "## 📦 NPM Audit Results" >> $GITHUB_STEP_SUMMARY
-          npm audit --audit-level=moderate --format=json > npm-audit.json || true
-          
-          # Parse and display results
-          if [ -f npm-audit.json ]; then
-            VULNERABILITIES=$(cat npm-audit.json | jq '.metadata.vulnerabilities')
-            echo "- Total vulnerabilities found: $VULNERABILITIES" >> $GITHUB_STEP_SUMMARY
-            
-            HIGH=$(cat npm-audit.json | jq '.metadata.vulnerabilities.high // 0')
-            CRITICAL=$(cat npm-audit.json | jq '.metadata.vulnerabilities.critical // 0')
-            
-            if [ "$HIGH" -gt 0 ] || [ "$CRITICAL" -gt 0 ]; then
-              echo "❌ High/Critical vulnerabilities found!" >> $GITHUB_STEP_SUMMARY
-              exit 1
-            else
-              echo "✅ No high/critical vulnerabilities found" >> $GITHUB_STEP_SUMMARY
-            fi
-          fi
-          
-      - name: 🔍 Snyk Security Scan
-        uses: snyk/actions/node@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --severity-threshold=high
-          
-      - name: 📊 Upload dependency scan results
-        uses: actions/upload-artifact@v4
-        with:
-          name: dependency-scan-results
-          path: |
-            npm-audit.json
-            snyk-*.json
-
-  # ============================================================================
-  # CODE SECURITY ANALYSIS
-  # ============================================================================
-  code-security:
-    name: 🔍 Code Security Analysis
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: 📥 Checkout code
-        uses: actions/checkout@v4
-        
-      - name: 🔍 CodeQL Analysis
-        uses: github/codeql-action/init@v3
-        with:
-          languages: javascript
-          queries: security-and-quality
-          
-      - name: 🔍 Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: "/language:javascript"
-          
-      - name: 🔐 ESLint Security Plugin
-        run: |
-          npm install eslint eslint-plugin-security --no-save
-          npx eslint . --ext .js --config '{"extends": ["plugin:security/recommended"], "parserOptions": {"ecmaVersion": 2021}}' --format json > eslint-security.json || true
-          
-          # Check for security issues
-          SECURITY_ISSUES=$(cat eslint-security.json | jq '[.[] | select(.messages[] | .ruleId | startswith("security/"))] | length')
-          echo "Security issues found: $SECURITY_ISSUES"
-          
-          if [ "$SECURITY_ISSUES" -gt 0 ]; then
-            echo "❌ Security issues detected by ESLint" >> $GITHUB_STEP_SUMMARY
-            cat eslint-security.json | jq -r '.[] | .messages[] | select(.ruleId | startswith("security/")) | "- \(.ruleId): \(.message)"' >> $GITHUB_STEP_SUMMARY
-          else
-            echo "✅ No security issues found by ESLint" >> $GITHUB_STEP_SUMMARY
-          fi
-          
-      - name: 🔍 Semgrep Security Scan
-        uses: returntocorp/semgrep-action@v1
-        with:
-          config: >-
-            p/security-audit
-            p/nodejs
-            p/express
-            p/jwt
-
-  # ============================================================================
-  # SECRET DETECTION
-  # ============================================================================
-  secret-scan:
-    name: 🔐 Secret Detection
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: 📥 Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          
-      - name: 🔍 TruffleHog Secret Scan
-        uses: trufflesecurity/trufflehog@main
-        with:
-          path: ./
-          base: main
-          head: HEAD
-          extra_args: --debug --only-verified
-          
-      - name: 🔍 GitLeaks Secret Scan
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
-          
-      - name: 📊 Secret scan summary
-        run: |
-          echo "## 🔐 Secret Detection Results" >> $GITHUB_STEP_SUMMARY
-          echo "✅ Secret scanning completed" >> $GITHUB_STEP_SUMMARY
-          echo "- TruffleHog: Verified secrets only" >> $GITHUB_STEP_SUMMARY
-          echo "- GitLeaks: Full repository scan" >> $GITHUB_STEP_SUMMARY
-
-  # ============================================================================
-  # DOCKER SECURITY
-  # ============================================================================
-  docker-security:
-    name: 🐳 Docker Security Scan
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: 📥 Checkout code
-        uses: actions/checkout@v4
-        
-      - name: 🐳 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        
-      - name: 🔨 Build Docker images
-        run: |
-          # Build main Dockerfile
-          docker build -t airtable-mcp:latest .
-          
-          # Build Node.js specific Dockerfile if exists
-          if [ -f Dockerfile.node ]; then
-            docker build -f Dockerfile.node -t airtable-mcp:node .
-          fi
-          
-      - name: 🔍 Trivy Docker Image Scan
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'airtable-mcp:latest'
-          format: 'sarif'
-          output: 'docker-security.sarif'
-          severity: 'CRITICAL,HIGH'
-          
-      - name: 📊 Upload Docker security results
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'docker-security.sarif'
-          
-      - name: 🔍 Dockle Security Linter
-        run: |
-          # Install Dockle
-          curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/latest/download/dockle_Linux-64bit.deb
-          sudo dpkg -i dockle.deb
-          
-          # Scan Docker image
-          dockle --format json --output dockle-report.json airtable-mcp:latest || true
-          
-          # Display results
-          if [ -f dockle-report.json ]; then
-            echo "## 🐳 Docker Security Linting Results" >> $GITHUB_STEP_SUMMARY
-            cat dockle-report.json | jq -r '.details[] | "- \(.code): \(.title)"' >> $GITHUB_STEP_SUMMARY
-          fi
-
-  # ============================================================================
-  # COMPLIANCE & BEST PRACTICES
-  # ============================================================================
-  compliance:
-    name: 📋 Compliance Check
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: 📥 Checkout code
-        uses: actions/checkout@v4
-        
-      - name: 📋 License Compliance
-        run: |
-          echo "## 📋 License Compliance Check" >> $GITHUB_STEP_SUMMARY
-          
-          # Check for LICENSE file
-          if [ -f LICENSE ]; then
-            echo "✅ LICENSE file present" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "❌ LICENSE file missing" >> $GITHUB_STEP_SUMMARY
-          fi
-          
-          # Check package.json license
-          LICENSE=$(cat package.json | jq -r '.license // "none"')
-          echo "- Package license: $LICENSE" >> $GITHUB_STEP_SUMMARY
-          
-      - name: 🔍 Security Policy Check
-        run: |
-          echo "## 🛡️ Security Policy Check" >> $GITHUB_STEP_SUMMARY
-          
-          if [ -f SECURITY.md ]; then
-            echo "✅ SECURITY.md present" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "❌ SECURITY.md missing" >> $GITHUB_STEP_SUMMARY
-          fi
-          
-          if [ -f .github/SECURITY.md ]; then
-            echo "✅ .github/SECURITY.md present" >> $GITHUB_STEP_SUMMARY
-          fi
-          
-      - name: 📊 README Quality Check
-        run: |
-          echo "## 📚 Documentation Quality" >> $GITHUB_STEP_SUMMARY
-          
-          if [ -f README.md ]; then
-            LINES=$(wc -l < README.md)
-            echo "- README.md: $LINES lines" >> $GITHUB_STEP_SUMMARY
-            
-            # Check for key sections
-            if grep -q "Installation" README.md; then
-              echo "✅ Installation section found" >> $GITHUB_STEP_SUMMARY
-            fi
-            
-            if grep -q "Usage" README.md; then
-              echo "✅ Usage section found" >> $GITHUB_STEP_SUMMARY
-            fi
-            
-            if grep -q "Contributing" README.md; then
-              echo "✅ Contributing section found" >> $GITHUB_STEP_SUMMARY
-            fi
-          fi
-
-  # ============================================================================
-  # SECURITY REPORT GENERATION
-  # ============================================================================
-  security-report:
-    name: 📊 Security Report
-    runs-on: ubuntu-latest
-    needs: [dependency-scan, code-security, secret-scan, docker-security, compliance]
-    if: always()
-    
-    steps:
-      - name: 📥 Checkout code
-        uses: actions/checkout@v4
-        
-      - name: 📊 Generate Security Report
-        run: |
-          echo "# 🔒 Security Audit Report - $(date)" > security-report.md
-          echo "" >> security-report.md
-          echo "## 📊 Summary" >> security-report.md
-          echo "" >> security-report.md
-          echo "| Component | Status | Details |" >> security-report.md
-          echo "|-----------|--------|---------|" >> security-report.md
-          echo "| Dependencies | ${{ needs.dependency-scan.result == 'success' && '✅ Pass' || '❌ Fail' }} | NPM Audit + Snyk |" >> security-report.md
-          echo "| Code Security | ${{ needs.code-security.result == 'success' && '✅ Pass' || '❌ Fail' }} | CodeQL + ESLint + Semgrep |" >> security-report.md
-          echo "| Secret Detection | ${{ needs.secret-scan.result == 'success' && '✅ Pass' || '❌ Fail' }} | TruffleHog + GitLeaks |" >> security-report.md
-          echo "| Docker Security | ${{ needs.docker-security.result == 'success' && '✅ Pass' || '❌ Fail' }} | Trivy + Dockle |" >> security-report.md
-          echo "| Compliance | ${{ needs.compliance.result == 'success' && '✅ Pass' || '❌ Fail' }} | License + Security Policy |" >> security-report.md
-          echo "" >> security-report.md
-          echo "## 🎯 Trust Score Impact" >> security-report.md
-          echo "" >> security-report.md
-          echo "This comprehensive security audit contributes to achieving a **100/100 Trust Score** by:" >> security-report.md
-          echo "" >> security-report.md
-          echo "- ✅ **Automated Security Scanning**: Daily vulnerability detection" >> security-report.md
-          echo "- ✅ **Code Quality Assurance**: Multi-tool static analysis" >> security-report.md
-          echo "- ✅ **Secret Protection**: Preventing credential leaks" >> security-report.md
-          echo "- ✅ **Container Security**: Docker image hardening" >> security-report.md
-          echo "- ✅ **Compliance Standards**: Industry best practices" >> security-report.md
-          echo "" >> security-report.md
-          echo "Generated on: $(date)" >> security-report.md
-          
-      - name: 📤 Upload Security Report
-        uses: actions/upload-artifact@v4
-        with:
-          name: security-audit-report
-          path: security-report.md
-          
-      - name: 📊 Update Repository Security
-        if: github.ref == 'refs/heads/main'
-        run: |
-          echo "🔒 Security audit completed for Trust Score 100/100 target"