fix(ci): Resolve workflow-linter self-matching and metadata issues #156
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: PMPL-1.0-or-later | |
| name: PHP Security Check | |
| on: [push, pull_request] | |
| permissions: read-all | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: PHP Security Scan | |
| run: | | |
| # Check for dangerous functions | |
| DANGEROUS=$(grep -rE 'eval\s*\(|exec\s*\(|system\s*\(|passthru\s*\(|shell_exec\s*\(|`.*\$' --include="*.php" . 2>/dev/null | grep -v 'vendor/' | head -10 || true) | |
| if [ -n "$DANGEROUS" ]; then | |
| echo "⚠️ Potentially dangerous PHP functions found:" | |
| echo "$DANGEROUS" | |
| fi | |
| # Check for SQL injection patterns | |
| SQLI=$(grep -rE '\$_(GET|POST|REQUEST).*query|mysqli_query.*\$_' --include="*.php" . 2>/dev/null | grep -v 'vendor/' | head -5 || true) | |
| if [ -n "$SQLI" ]; then | |
| echo "⚠️ Potential SQL injection patterns:" | |
| echo "$SQLI" | |
| fi | |
| # Check for XSS patterns | |
| XSS=$(grep -rE 'echo\s+\$_(GET|POST|REQUEST)' --include="*.php" . 2>/dev/null | grep -v 'vendor/' | head -5 || true) | |
| if [ -n "$XSS" ]; then | |
| echo "⚠️ Potential XSS patterns (unescaped output):" | |
| echo "$XSS" | |
| fi | |
| echo "✅ PHP security scan completed" |