| name: CI | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| permissions: | |
| contents: read | |
| jobs: | |
| test-and-secure: | |
| runs-on: ubuntu-latest | |
| env: | |
| ALLOW_DEV_SALT: "true" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -r requirements.txt | |
| python -m pip install pytest ruff bandit pip-audit | |
| - name: Lint with Ruff | |
| run: ruff check . | |
| - name: Check formatting with Ruff | |
| run: ruff format --check . | |
| - name: Security scan with Bandit | |
| run: | | |
| bandit -r osint_core/ -ll | |
| - name: Audit Python dependencies | |
| run: | | |
| pip-audit -r requirements.txt | |
| - name: Run tests | |
| run: | | |
| pytest -v --tb=short | |
| drift-guard: | |
| runs-on: ubuntu-latest | |
| needs: test-and-secure | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| - name: Install YAML parser | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install PyYAML | |
| - name: Verify critical files exist | |
| run: | | |
| test -f osint_core/intent.py | |
| test -f osint_core/policy.py | |
| test -f osint_core/validators.py | |
| - name: Prevent forbidden tools from entering repo | |
| run: | | |
| if git grep -n -I -E "nmap|masscan|sqlmap|metasploit" -- . \ | |
| ':(exclude).github/workflows/*' \ | |
| ':(exclude)README.md' \ | |
| ':(exclude)docs/*'; then | |
| echo "Forbidden tooling detected" | |
| exit 1 | |
| fi | |
| - name: Enforce passive-first invariant | |
| run: | | |
| if git grep -n -I "requests.get(" -- osint_core/ | grep -v "authorized"; then | |
| echo "Potential unauthorized outbound request" | |
| exit 1 | |
| fi | |
| - name: Validate YAML integrity | |
| run: | | |
| python -c "import yaml; yaml.safe_load(open('data/sources.yaml', encoding='utf-8'))" | |
| - name: Check for raw indicator leakage | |
| run: | | |
| if git grep -n -I -E "example\.com|@gmail\.com|192\.168\." -- osint_core/; then | |
| echo "Possible raw indicator leakage" | |
| exit 1 | |
| fi | |