Skip to content
ZTA Security Lint

feat: Implement Bloqr landing page — 10 section components, dark design system, SSR-safe persona tabs, a11y hardening #1017

Sign in to view logs

feat: Implement Bloqr landing page — 10 section components, dark design system, SSR-safe persona tabs, a11y hardening

feat: Implement Bloqr landing page — 10 section components, dark design system, SSR-safe persona tabs, a11y hardening #1017

Workflow file for this run

.github/workflows/zta-lint.yml at 1cbb9dc
name: ZTA Security Lint
on:
pull_request:
paths:
- 'worker/**'
- 'src/**'
- 'frontend/**'
push:
branches: [main]
permissions:
contents: read
jobs:
zta-security-lint:
name: ZTA Security Lint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Check for eval() usage
run: |
if grep -rn 'eval(' worker/ src/ --include='*.ts' --include='*.js' 2>/dev/null | grep -vE 'test|spec|\.d\.ts|// ' | grep -q '.'; then
echo "::error::Found eval() usage in worker/src. Eval is prohibited per ZTA security policy."
exit 1
fi
echo "✅ No eval() usage found"
- name: Check for dangerous innerHTML usage
run: |
if grep -rn 'innerHTML' worker/ frontend/src/ --include='*.ts' --include='*.html' 2>/dev/null | grep -vE 'test|spec|\.d\.ts|// |DomSanitizer|sanitize|bypassSecurity|\[innerHTML\]|matTooltip|tooltipText' | grep -q '.'; then
echo "::error::Found unsafe innerHTML assignment. Use Angular's DomSanitizer or template binding."
exit 1
fi
echo "✅ No unsafe innerHTML usage found"
- name: Check for hardcoded secrets patterns
run: |
PATTERN='(password|secret|api.key|token)\s*=\s*["\x27][^"\x27]{8,}["\x27]'
if grep -rniP "${PATTERN}" worker/ src/ --include='*.ts' --include='*.js' 2>/dev/null | grep -vE 'test|spec|\.d\.ts|// |example|placeholder|\$\{|process\.env|env\.' | grep -q '.'; then
echo "::error::Potential hardcoded secret found. Use environment variables."
exit 1
fi
echo "✅ No hardcoded secrets patterns found"
- name: Check for localStorage auth token storage
run: |
if grep -rEn 'localStorage\.setItem.*[Tt]oken|localStorage\.setItem.*[Aa]uth|localStorage\.setItem.*[Jj]wt' worker/ frontend/src/ --include='*.ts' 2>/dev/null | grep -vE 'test|spec|\.d\.ts|// ' | grep -q '.'; then
echo "::error::Found auth token storage in localStorage. Use Better Auth / BetterAuthService for auth state management."
exit 1
fi
echo "✅ No localStorage auth token usage found"
- name: Check for SQL injection patterns
run: |
if grep -rEn 'query\s*\+|query\s*=.*\+\s*[a-zA-Z]|`SELECT.*\$\{|`INSERT.*\$\{|`UPDATE.*\$\{|`DELETE.*\$\{' worker/ src/ --include='*.ts' 2>/dev/null | grep -vE 'test|spec|\.d\.ts|// |\.prepare\(|\.join\(|\.log\(' | grep -q '.'; then
echo "::error::Potential SQL injection pattern found. Use parameterized queries."
exit 1
fi
echo "✅ No SQL injection patterns found"
- name: Check for missing input validation on API routes
run: |
if grep -rEn 'request\.json\(\)|req\.body' worker/ --include='*.ts' 2>/dev/null | grep -vE 'test|spec|\.d\.ts|// |zod|\.parse\(|\.safeParse\(' | grep -q '.'; then
echo "::warning::Found API routes potentially missing Zod input validation. Ensure all request bodies are validated."
fi
echo "✅ Input validation check complete"
- name: Check for CORS wildcard origins
run: |
if grep -rEn "'\*'|\"\*\"" worker/ src/ --include='*.ts' 2>/dev/null | grep -iE 'cors|origin|allow' | grep -vE 'test|spec|\.d\.ts|// ' | grep -q '.'; then
echo "::error::Found CORS wildcard origin. Use specific allowed origins."
exit 1
fi
echo "✅ No CORS wildcard origins found"
- name: Check for console.log with sensitive data patterns
run: |
if grep -rEn 'console\.log.*(password|token|secret|key)' worker/ src/ --include='*.ts' 2>/dev/null | grep -vE 'test|spec|\.d\.ts|// |api\.key|apiKey|keyHash|keyPrefix' | grep -q '.'; then
echo "::warning::Found potential sensitive data logging. Review console.log statements."
fi
echo "✅ Sensitive data logging check complete"
- name: Lint summary
run: echo "✅ ZTA security lint passed"