Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 137 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
name: Security Scan

on:
pull_request:
branches:
- develop
push:
branches:
- develop

env:
POETRY_VERSION: 1.8.2

jobs:
trivy-scan:
name: Trivy
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read

steps:
- name: Checkout code
uses: actions/checkout@v5

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"

- name: Bootstrap poetry
run: |
curl -sSL https://install.python-poetry.org | POETRY_VERSION=${{ env.POETRY_VERSION }} python -
echo "$HOME/.local/bin" >> $GITHUB_PATH

- name: Configure poetry
run: poetry config virtualenvs.in-project true

- name: Install dependencies
run: poetry install --with dev

- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "sarif"
output: "trivy-fs-results.sarif"
severity: "CRITICAL,HIGH,MEDIUM,LOW"
exit-code: "0"

- name: Run Trivy dependency scan
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "sarif"
output: "trivy-deps-results.sarif"
severity: "CRITICAL,HIGH,MEDIUM,LOW"
scanners: "vuln"
exit-code: "0"

- name: Check for critical and high vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "table"
severity: "CRITICAL,HIGH"
exit-code: "1"

- name: Upload Trivy filesystem scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always() && github.event_name == 'pull_request' && github.base_ref == 'develop'
with:
sarif_file: "trivy-fs-results.sarif"
category: "trivy-filesystem"

- name: Upload Trivy dependency scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always() && github.event_name == 'pull_request' && github.base_ref == 'develop'
with:
sarif_file: "trivy-deps-results.sarif"
category: "trivy-dependencies"

bandit-scan:
name: Bandit
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
checks: write

steps:
- uses: actions/checkout@v5

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"

- name: Bootstrap poetry
run: |
curl -sSL https://install.python-poetry.org | POETRY_VERSION=${{ env.POETRY_VERSION }} python -
echo "$HOME/.local/bin" >> $GITHUB_PATH

- name: Configure poetry
run: poetry config virtualenvs.in-project true

- name: Install dependencies
run: poetry install --with dev

- name: Install Bandit
run: poetry run pip install bandit[sarif]

- name: Run Bandit Security Scan
uses: PyCQA/bandit-action@v1
with:
targets: "."
exclude: "tests"

- name: Upload SARIF results to Security tab
if: github.ref == 'refs/heads/develop'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: bandit-security-scan

- name: Upload SARIF as artifact
uses: actions/upload-artifact@v4
with:
name: bandit-sarif-results
path: results.sarif
retention-days: 30
continue-on-error: true
Loading