-
Notifications
You must be signed in to change notification settings - Fork 0
95 lines (78 loc) · 2.41 KB
/
Copy pathsecurity.yml
File metadata and controls
95 lines (78 loc) · 2.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: security
on:
pull_request:
push:
branches:
- main
- master
schedule:
- cron: "27 9 * * 1"
permissions:
contents: read
security-events: write
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
codeql:
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: python
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
dependency-audit:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
cache: pip
- name: Run pip-audit
run: |
python -m pip install pip-audit==2.10.1
pip-audit --requirement requirements.txt
container-scan:
runs-on: ubuntu-latest
timeout-minutes: 25
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Prepare throwaway local config
run: |
cp .env.example .env
mkdir -p data/secrets data/codex-home data/codex-work
python - <<'PY'
import pathlib
import secrets
pathlib.Path("data/secrets/proxy_api_key").write_text(secrets.token_urlsafe(48) + "\n", encoding="utf-8")
PY
chmod 600 .env
chmod 644 data/secrets/proxy_api_key
chmod 700 data/secrets data/codex-home data/codex-work
- name: Build local image
run: docker compose build
- name: Trivy image scan
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: codex-cli-provider:local
format: table
severity: CRITICAL,HIGH
exit-code: "1"
ignore-unfixed: true