-
-
Notifications
You must be signed in to change notification settings - Fork 0
102 lines (85 loc) · 2.73 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Security
on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
schedule:
- cron: "30 03 * * *" # 12am UTC, 5:30pm Indian, 9pm Brazil, 11am AEDT
workflow_dispatch:
inputs:
none:
description: "Run Nightlies Tests Manually"
required: false
concurrency:
group: security-${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow, github.event.pull_request.number) || github.workflow_ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
safety:
name: Safety Security Scan
runs-on: ubuntu-latest
steps:
- name: Check out master
uses: actions/checkout@master
- uses: pyupio/safety-action@v1
with:
api-key: ${{ secrets.SAFETY_API_KEY }}
bandit-security-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Bandit Security Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: 3.12
cache: 'pip' # caching pip dependencies
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install uv
python -m uv pip install bandit[sarif]
python -m uv pip install -r requirements.txt
# Execute Bandit
- name: Run Bandit CLI
run: |
bandit -r . -v --format sarif -o results.sarif
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
security:
name: Pip-audit Scan
runs-on: ubuntu-latest
steps:
- name: Check out master
uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: 3.12
- name: install
run: |
python -m pip install -r requirements.txt
- uses: pypa/[email protected]
with:
vulnerability-service: osv
trufflehog:
name: Secret Leaks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main