Bump requests from 2.20.0 to 2.34.1 #80
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "🔒 Security Scan" | |
| on: | |
| push: | |
| branches: [ "main", "master", "develop" ] | |
| pull_request: | |
| branches: [ "main", "master" ] | |
| schedule: | |
| - cron: '0 9 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| # ============================================================================== | |
| # JOB 1: Detect Languages (Defensive & Accurate) | |
| # ============================================================================== | |
| jobs: | |
| detect-languages: | |
| name: "Detect Languages" | |
| runs-on: ubuntu-latest | |
| outputs: | |
| languages: ${{ steps.detect.outputs.languages }} | |
| has_csharp: ${{ steps.detect.outputs.has_csharp }} | |
| has_java: ${{ steps.detect.outputs.has_java }} | |
| has_javascript: ${{ steps.detect.outputs.has_javascript }} | |
| has_python: ${{ steps.detect.outputs.has_python }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Detect | |
| id: detect | |
| shell: bash | |
| run: | | |
| langs=() | |
| has_csharp=false | |
| has_java=false | |
| has_javascript=false | |
| has_python=false | |
| if find . -name "*.csproj" -o -name "*.sln" | grep -q .; then | |
| langs+=("\"csharp\"") | |
| has_csharp=true | |
| fi | |
| if [ -f "pom.xml" ] || [ -f "build.gradle" ]; then | |
| langs+=("\"java-kotlin\"") | |
| has_java=true | |
| fi | |
| if [ -f "package.json" ]; then | |
| langs+=("\"javascript-typescript\"") | |
| has_javascript=true | |
| fi | |
| if find . -name "*.py" | grep -q .; then | |
| langs+=("\"python\"") | |
| has_python=true | |
| fi | |
| echo "languages=[${langs[*]}]" >> $GITHUB_OUTPUT | |
| echo "has_csharp=$has_csharp" >> $GITHUB_OUTPUT | |
| echo "has_java=$has_java" >> $GITHUB_OUTPUT | |
| echo "has_javascript=$has_javascript" >> $GITHUB_OUTPUT | |
| echo "has_python=$has_python" >> $GITHUB_OUTPUT | |
| # ============================================================================== | |
| # JOB 2: CodeQL SAST | |
| # ============================================================================== | |
| codeql-analysis: | |
| name: "CodeQL (${{ matrix.language }})" | |
| needs: detect-languages | |
| if: needs.detect-languages.outputs.languages != '[]' | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ${{ fromJSON(needs.detect-languages.outputs.languages) }} | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # ---------------- Node.js (Safe for demo) ---------------- | |
| - name: Setup Node | |
| if: matrix.language == 'javascript-typescript' | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: npm | |
| cache-dependency-path: package-lock.json | |
| - name: Install Node deps | |
| if: matrix.language == 'javascript-typescript' | |
| continue-on-error: true | |
| run: | | |
| if [ -f package-lock.json ]; then | |
| npm ci --quiet | |
| else | |
| npm install --quiet | |
| fi | |
| # ---------------- Java ---------------- | |
| - name: Setup Java | |
| if: matrix.language == 'java-kotlin' | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - run: mvn -q clean compile -DskipTests || true | |
| if: matrix.language == 'java-kotlin' && hashFiles('pom.xml') != '' | |
| # ---------------- .NET ---------------- | |
| - name: Setup .NET | |
| if: matrix.language == 'csharp' | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: '8.0.x' | |
| - run: dotnet restore || true | |
| if: matrix.language == 'csharp' | |
| # ---------------- Python ---------------- | |
| - name: Setup Python | |
| if: matrix.language == 'python' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| # ---------------- CodeQL ---------------- | |
| - uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended,security-and-quality | |
| - uses: github/codeql-action/autobuild@v3 | |
| continue-on-error: true | |
| - uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| # ============================================================================== | |
| # JOB 3: Dependency Scan | |
| # ============================================================================== | |
| dependency-scan: | |
| name: "Dependency Scan" | |
| needs: detect-languages | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Node.js deps | |
| - name: Node Dependency Audit | |
| if: needs.detect-languages.outputs.has_javascript == 'true' | |
| continue-on-error: true | |
| run: | | |
| if [ -f package-lock.json ]; then | |
| npm ci --quiet | |
| npm audit | |
| elif [ -f package.json ]; then | |
| npm install --quiet | |
| npm audit || true | |
| else | |
| echo "No Node project" | |
| fi | |
| # Python deps | |
| - name: Python Dependency Audit | |
| if: needs.detect-languages.outputs.has_python == 'true' | |
| continue-on-error: true | |
| run: | | |
| pip install -q safety | |
| safety check || true | |
| # .NET deps | |
| - name: .NET Dependency Audit | |
| if: needs.detect-languages.outputs.has_csharp == 'true' | |
| continue-on-error: true | |
| run: dotnet list package --vulnerable --include-transitive || true | |
| # ============================================================================== | |
| # JOB 4: Secret Scanning | |
| # ============================================================================== | |
| secret-scan: | |
| name: "Secret Detection" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: gitleaks/gitleaks-action@v2 | |
| continue-on-error: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |