70 lines
1.7 KiB
YAML
70 lines
1.7 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches: ["main", "master", "develop"]
|
|
pull_request:
|
|
branches: ["main", "master"]
|
|
schedule:
|
|
# Run security scan weekly on Sundays at 2 AM UTC
|
|
- cron: '0 2 * * 0'
|
|
|
|
jobs:
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@v3
|
|
with:
|
|
version: "latest"
|
|
|
|
- name: Set up Python
|
|
run: uv python install 3.11
|
|
|
|
- name: Install dependencies
|
|
run: uv sync --extra security
|
|
|
|
- name: Run bandit security linter
|
|
run: uv run bandit -r src/ -f json -o bandit-report.json
|
|
continue-on-error: true
|
|
|
|
- name: Run safety vulnerability check
|
|
run: uv run safety check --json --save-json safety-report.json
|
|
continue-on-error: true
|
|
|
|
- name: Upload security reports
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: security-reports
|
|
path: |
|
|
bandit-report.json
|
|
safety-report.json
|
|
|
|
dependency-check:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@v3
|
|
with:
|
|
version: "latest"
|
|
|
|
- name: Set up Python
|
|
run: uv python install 3.11
|
|
|
|
- name: Check for dependency vulnerabilities
|
|
run: |
|
|
uv sync --extra security
|
|
uv run pip-audit --format=json --output=pip-audit-report.json
|
|
continue-on-error: true
|
|
|
|
- name: Upload dependency audit report
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: dependency-audit
|
|
path: pip-audit-report.json |