Skip to content
Security Scan

Update README.md #81

Sign in to view logs

Update README.md

Update README.md #81

Workflow file for this run

.github/workflows/security.yml at 94828bd
name: Security Scan
on:
schedule:
# Run weekly on Sundays at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
jobs:
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'python' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install safety pip-audit
- name: Install project dependencies
run: |
pip install -e .[dev]
- name: Run Safety check
run: |
safety check --json --output safety-report.json || true
safety check --short-report
- name: Run pip-audit
run: |
pip-audit --format=json --output=pip-audit-report.json || true
pip-audit --format=cyclonedx-json --output=sbom.json || true
pip-audit
- name: Upload Safety report
uses: actions/upload-artifact@v4
if: always()
with:
name: safety-report
path: safety-report.json
- name: Upload pip-audit report
uses: actions/upload-artifact@v4
if: always()
with:
name: pip-audit-report
path: |
pip-audit-report.json
sbom.json
sast-scan:
name: Static Application Security Testing
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install bandit[toml] semgrep
- name: Run Bandit security scan
run: |
bandit -r src/ -f json -o bandit-report.json || true
bandit -r src/ -ll
- name: Run Semgrep security scan
run: |
semgrep --config=auto --json --output=semgrep-report.json src/ || true
semgrep --config=auto src/
- name: Upload Bandit report
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-report
path: bandit-report.json
- name: Upload Semgrep report
uses: actions/upload-artifact@v4
if: always()
with:
name: semgrep-report
path: semgrep-report.json
security-advisory:
name: Security Advisory Check
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [codeql-analysis, dependency-scan, sast-scan, security-advisory]
if: always()
steps:
- name: Security scan completed
run: |
echo "Security scan workflow completed"
echo "Check the Security tab for detailed results"
echo "Review artifacts for detailed reports"