-
Notifications
You must be signed in to change notification settings - Fork 37
79 lines (67 loc) · 2.83 KB
/
Copy pathsecurity.yml
File metadata and controls
79 lines (67 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: Security
# Supply-chain and secret-hygiene checks that run independently of the test matrix
# so they gate every PR and push even when the unit tests are skipped. Three jobs:
# - pip-audit: scans resolved Python dependencies for known CVEs (PyPI advisories).
# - gitleaks: scans the repo / PR diff for committed secrets, even without a
# developer running the local pre-commit hook.
# - bandit: Python-specific static security analysis (SAST) of the package.
on:
push:
branches: [main, master, develop]
pull_request:
branches: [main, master, develop]
workflow_dispatch:
# Least privilege: both jobs only need to read the repository contents.
permissions:
contents: read
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
pip-audit:
name: pip-audit (dependency CVEs)
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Set up uv (provides uvx for pip-audit)
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: "3.12"
enable-cache: true
# Audit the project's full dependency closure (runtime + optional extras) by
# resolving it from pyproject.toml into a requirements file, then scanning that.
# Fails the job on any dependency with a known advisory.
- name: Resolve dependency closure
run: uv pip compile --all-extras --output-file requirements-audit.txt pyproject.toml
- name: Audit dependencies
run: uvx pip-audit --strict --requirement requirements-audit.txt
gitleaks:
name: gitleaks (secret scan)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
# Full history so the scan can diff the whole range on push, not just HEAD.
fetch-depth: 0
- name: Run gitleaks
uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
bandit:
name: bandit (Python SAST)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Set up uv (provides uvx for bandit)
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: "3.12"
enable-cache: true
# Static security analysis of the package source — a Python-focused second
# opinion alongside CodeQL. Gates on MEDIUM+ severity findings; known false
# positives are annotated inline with `# nosec <id>` + a justification.
- name: Run bandit
run: uvx bandit -r coderag -ll