|
| 1 | +name: Weekly Template Security Scan |
| 2 | + |
| 3 | +on: |
| 4 | + schedule: |
| 5 | + - cron: "0 23 * * 0" |
| 6 | + workflow_dispatch: |
| 7 | + inputs: |
| 8 | + templates: |
| 9 | + description: "Specific templates to scan (comma-separated, leave empty for all)" |
| 10 | + required: false |
| 11 | + default: "" |
| 12 | + |
| 13 | +permissions: |
| 14 | + contents: read |
| 15 | + issues: write |
| 16 | + |
| 17 | +jobs: |
| 18 | + security-scan: |
| 19 | + runs-on: ubuntu-latest |
| 20 | + |
| 21 | + steps: |
| 22 | + - name: Checkout code |
| 23 | + uses: actions/checkout@v4 |
| 24 | + |
| 25 | + - name: Set up Python |
| 26 | + uses: actions/setup-python@v5 |
| 27 | + with: |
| 28 | + python-version: "3.12" |
| 29 | + |
| 30 | + - name: Install pip-audit |
| 31 | + run: pip install pip-audit |
| 32 | + |
| 33 | + - name: Run security scan on templates |
| 34 | + id: scan |
| 35 | + run: | |
| 36 | + TEMPLATE_DIR="src/fastapi_fastkit/fastapi_project_template" |
| 37 | + RESULTS_FILE="security_scan_results.json" |
| 38 | + SCAN_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") |
| 39 | +
|
| 40 | + # Initialize results |
| 41 | + echo '{' > $RESULTS_FILE |
| 42 | + echo ' "scan_date": "'$SCAN_DATE'",' >> $RESULTS_FILE |
| 43 | + echo ' "templates": [' >> $RESULTS_FILE |
| 44 | +
|
| 45 | + TEMPLATES_INPUT="${{ github.event.inputs.templates }}" |
| 46 | + FIRST_TEMPLATE=true |
| 47 | + TOTAL_VULNERABILITIES=0 |
| 48 | + AFFECTED_TEMPLATES="" |
| 49 | +
|
| 50 | + for template_dir in $TEMPLATE_DIR/fastapi-*/; do |
| 51 | + template_name=$(basename "$template_dir") |
| 52 | +
|
| 53 | + # Skip if specific templates are requested and this isn't one |
| 54 | + if [ -n "$TEMPLATES_INPUT" ]; then |
| 55 | + if ! echo "$TEMPLATES_INPUT" | grep -q "$template_name"; then |
| 56 | + continue |
| 57 | + fi |
| 58 | + fi |
| 59 | +
|
| 60 | + req_file="$template_dir/requirements.txt-tpl" |
| 61 | + if [ -f "$req_file" ]; then |
| 62 | + echo "🔍 Scanning $template_name..." |
| 63 | +
|
| 64 | + # Create temp requirements file |
| 65 | + temp_req=$(mktemp) |
| 66 | + cp "$req_file" "$temp_req" |
| 67 | +
|
| 68 | + # Run pip-audit and capture output |
| 69 | + audit_output=$(pip-audit -r "$temp_req" --format json 2>/dev/null || echo '[]') |
| 70 | + rm "$temp_req" |
| 71 | +
|
| 72 | + # Count vulnerabilities |
| 73 | + vuln_count=$(echo "$audit_output" | python3 -c "import sys, json; data = json.load(sys.stdin); print(len(data))" 2>/dev/null || echo "0") |
| 74 | +
|
| 75 | + if [ "$vuln_count" -gt 0 ]; then |
| 76 | + TOTAL_VULNERABILITIES=$((TOTAL_VULNERABILITIES + vuln_count)) |
| 77 | + AFFECTED_TEMPLATES="$AFFECTED_TEMPLATES $template_name" |
| 78 | + echo "⚠️ Found $vuln_count vulnerabilities in $template_name" |
| 79 | + else |
| 80 | + echo "✅ No vulnerabilities in $template_name" |
| 81 | + fi |
| 82 | +
|
| 83 | + # Add to JSON |
| 84 | + if [ "$FIRST_TEMPLATE" = true ]; then |
| 85 | + FIRST_TEMPLATE=false |
| 86 | + else |
| 87 | + echo ' ,' >> $RESULTS_FILE |
| 88 | + fi |
| 89 | +
|
| 90 | + echo ' {' >> $RESULTS_FILE |
| 91 | + echo ' "name": "'$template_name'",' >> $RESULTS_FILE |
| 92 | + echo ' "vulnerability_count": '$vuln_count',' >> $RESULTS_FILE |
| 93 | + echo ' "vulnerabilities": '$audit_output >> $RESULTS_FILE |
| 94 | + echo ' }' >> $RESULTS_FILE |
| 95 | + fi |
| 96 | + done |
| 97 | +
|
| 98 | + echo ' ],' >> $RESULTS_FILE |
| 99 | + echo ' "total_vulnerabilities": '$TOTAL_VULNERABILITIES',' >> $RESULTS_FILE |
| 100 | + echo ' "affected_templates": "'$(echo $AFFECTED_TEMPLATES | xargs)'"' >> $RESULTS_FILE |
| 101 | + echo '}' >> $RESULTS_FILE |
| 102 | +
|
| 103 | + # Set outputs for later steps |
| 104 | + echo "total_vulnerabilities=$TOTAL_VULNERABILITIES" >> $GITHUB_OUTPUT |
| 105 | + echo "affected_templates=$AFFECTED_TEMPLATES" >> $GITHUB_OUTPUT |
| 106 | +
|
| 107 | + - name: Upload scan results |
| 108 | + uses: actions/upload-artifact@v4 |
| 109 | + if: always() |
| 110 | + with: |
| 111 | + name: security-scan-results |
| 112 | + path: security_scan_results.json |
| 113 | + retention-days: 30 |
| 114 | + |
| 115 | + - name: Create Issue on Vulnerabilities |
| 116 | + if: steps.scan.outputs.total_vulnerabilities != '0' |
| 117 | + uses: actions/github-script@v7 |
| 118 | + with: |
| 119 | + script: | |
| 120 | + const fs = require('fs'); |
| 121 | +
|
| 122 | + let issueBody = `## 🔒 Template Dependency Security Scan Results\n\n`; |
| 123 | + issueBody += `**Scan Date:** ${new Date().toISOString()}\n`; |
| 124 | + issueBody += `**Total Vulnerabilities Found:** ${{ steps.scan.outputs.total_vulnerabilities }}\n\n`; |
| 125 | +
|
| 126 | + try { |
| 127 | + const results = JSON.parse(fs.readFileSync('security_scan_results.json', 'utf8')); |
| 128 | +
|
| 129 | + results.templates.forEach(template => { |
| 130 | + if (template.vulnerability_count > 0) { |
| 131 | + issueBody += `### ⚠️ ${template.name}\n\n`; |
| 132 | + issueBody += `Found **${template.vulnerability_count}** vulnerabilities:\n\n`; |
| 133 | + issueBody += `| Package | Installed | Fix Versions | Vulnerability ID |\n`; |
| 134 | + issueBody += `|---------|-----------|--------------|------------------|\n`; |
| 135 | +
|
| 136 | + template.vulnerabilities.forEach(vuln => { |
| 137 | + const fixVersions = vuln.fix_versions ? vuln.fix_versions.join(', ') : 'N/A'; |
| 138 | + issueBody += `| ${vuln.name} | ${vuln.version} | ${fixVersions} | ${vuln.id} |\n`; |
| 139 | + }); |
| 140 | +
|
| 141 | + issueBody += `\n`; |
| 142 | + } |
| 143 | + }); |
| 144 | +
|
| 145 | + } catch (error) { |
| 146 | + issueBody += `\nError reading detailed results: ${error.message}\n`; |
| 147 | + } |
| 148 | +
|
| 149 | + issueBody += `\n---\n**Workflow:** [${context.workflow}](${context.payload.repository.html_url}/actions/runs/${context.runId})`; |
| 150 | +
|
| 151 | + // Determine severity label |
| 152 | + const totalVulns = parseInt('${{ steps.scan.outputs.total_vulnerabilities }}'); |
| 153 | + let severityLabel = 'security: low'; |
| 154 | + if (totalVulns >= 10) { |
| 155 | + severityLabel = 'security: critical'; |
| 156 | + } else if (totalVulns >= 5) { |
| 157 | + severityLabel = 'security: high'; |
| 158 | + } else if (totalVulns >= 2) { |
| 159 | + severityLabel = 'security: medium'; |
| 160 | + } |
| 161 | +
|
| 162 | + await github.rest.issues.create({ |
| 163 | + owner: context.repo.owner, |
| 164 | + repo: context.repo.repo, |
| 165 | + title: `🔒 Template Security Alert: ${totalVulns} vulnerabilities found - ${new Date().toISOString().split('T')[0]}`, |
| 166 | + body: issueBody, |
| 167 | + labels: ['security', severityLabel, 'automated', 'template'] |
| 168 | + }); |
| 169 | +
|
| 170 | + - name: Report Summary |
| 171 | + if: always() |
| 172 | + run: | |
| 173 | + echo "## 🔒 Security Scan Summary" >> $GITHUB_STEP_SUMMARY |
| 174 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 175 | +
|
| 176 | + if [ "${{ steps.scan.outputs.total_vulnerabilities }}" = "0" ]; then |
| 177 | + echo "✅ **No vulnerabilities found in any template!**" >> $GITHUB_STEP_SUMMARY |
| 178 | + else |
| 179 | + echo "⚠️ **Found ${{ steps.scan.outputs.total_vulnerabilities }} vulnerabilities**" >> $GITHUB_STEP_SUMMARY |
| 180 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 181 | + echo "Affected templates: ${{ steps.scan.outputs.affected_templates }}" >> $GITHUB_STEP_SUMMARY |
| 182 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 183 | + echo "A GitHub Issue has been created with detailed information." >> $GITHUB_STEP_SUMMARY |
| 184 | + fi |
0 commit comments