genai-musings · eoinhalpin99 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
@@ -0,0 +1,5 @@
+---
+security:
+  ignore-vulnerabilities:
+    70612:
+      reason: ignoring as per CVE-2019-8341 maintainer doesn't believe it is a valid vulnerability
@@ -32,6 +32,7 @@ README
 spellingcheck
 superlinter
 TODO
+Trivy
 URLs
 username
 yamllint

@@ -19,6 +19,16 @@ jobs:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
+    - name: Scan Docker image for vulnerabilities with Trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/template-repo-template:${{ env.IMAGE_TAG }}
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'HIGH,CRITICAL'
+
     - name: Build and Push Docker image
       run: |
         IMAGE_TAG="$(grep -oP '^## \[\K([\d.]+)' CHANGELOG.md | head -n 1)"

@@ -0,0 +1,38 @@
+name: Safety Check
+
+# Description: This GitHub Action workflow checks the Python dependencies for known security vulnerabilities
+# using the 'safety' tool. It runs on every push to the main branch and on pull requests targeting the main branch.
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  safety:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Install safety
+        run: |
+          pip install safety
+
+      - name: Run safety check
+        run: |
+          safety check --full-report --policy-file .github/config/.safety-policy.yml
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.7.0] - 2024-09-05
+
+- [ADDED] Safety GitHub Action workflow to check Python dependencies for known security vulnerabilities.
+- [ADDED] Trivy scan of the Docker image for vulnerabilities
+- [FIXED] Vulnerability in docker imaged reported by Trivy
+- [CHANGED] Updates to README.md
+
 ## [1.6.1] - 2023-10-15
 
 - [ADDED] Ensured docker image pushed to Docker Hub before README.md

@@ -4,6 +4,7 @@ This is a template repository for creating new repositories with pre-configured
 
 [![License: MPL 2.0](https://img.shields.io/badge/License-MPL%202.0-brightgreen.svg)](https://opensource.org/licenses/MPL-2.0)
 <!--[![Bandit](https://github.com/genai-musings/template-repo-template/actions/workflows/bandit.yml/badge.svg)](https://github.com/genai-musings/template-repo-template/actions/new?category=security)-->
+[![Safety Check](https://github.com/genai-musings/template-repo-template/actions/workflows/safety.yml/badge.svg)](https://github.com/genai-musings/template-repo-template/actions/workflows/safety.yml)
 [![Super-Linter](https://github.com/genai-musings/template-repo-template/actions/workflows/linter.yml/badge.svg)](https://github.com/marketplace/actions/super-linter)
 [![CodeQL](https://github.com/genai-musings/template-repo-template/workflows/CodeQL/badge.svg?branch=main)
 [![Markdown Links Check](https://github.com/genai-musings/template-repo-template/actions/workflows/md-links.yml/badge.svg)](https://github.com/gaurav-nelson/github-action-markdown-link-check)
@@ -39,6 +40,8 @@ It includes bug and feature issue templates, a pull request (PR) template, CodeQ
 
 - ```.github/workflows/md-links.yml```: GitHub Actions workflow for Markdown link validation.
 
+- ```.github/workflows/safety.yml```: GitHub Actions workflow for checking Python dependencies for known security vulnerabilities using the Safety tool.
+
 - ```.github/workflows/spellcheck.yml```: GitHub Actions workflow for spell checking Markdown.
 
 - ```.github/workflows/stale.yml```: GitHub Actions workflow for managing stale issues and pull requests.