-
Notifications
You must be signed in to change notification settings - Fork 46
161 lines (136 loc) · 4.11 KB
/
security.yml
File metadata and controls
161 lines (136 loc) · 4.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Security Audit
on:
schedule:
- cron: '0 0 * * 0' # Weekly on Sunday
workflow_dispatch:
push:
branches: [ main, mcp-remote ]
paths:
- '**/requirements*.txt'
- '**/pyproject.toml'
- '**/Dockerfile'
- '**/*.py'
jobs:
dependency-audit:
name: Dependency Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install audit tools
run: |
python -m pip install --upgrade pip
pip install safety pip-audit bandit semgrep
- name: Install project dependencies
run: pip install -e .
- name: Run safety check
run: |
safety check --json --output safety-report.json || true
if [ -f safety-report.json ]; then
echo "### Safety Report" >> $GITHUB_STEP_SUMMARY
echo '```json' >> $GITHUB_STEP_SUMMARY
cat safety-report.json >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
- name: Run pip-audit
run: |
pip-audit --format json --output pip-audit-report.json || true
if [ -f pip-audit-report.json ]; then
echo "### Pip Audit Report" >> $GITHUB_STEP_SUMMARY
echo '```json' >> $GITHUB_STEP_SUMMARY
cat pip-audit-report.json >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
- name: Upload security reports
uses: actions/upload-artifact@v4
with:
name: dependency-security-reports
path: |
safety-report.json
pip-audit-report.json
if: always()
code-security:
name: Code Security Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Run Bandit
run: |
pip install bandit
bandit -r src/ -f json -o bandit-report.json || true
echo "### Bandit Security Report" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
bandit -r src/ -f txt || true
echo '```' >> $GITHUB_STEP_SUMMARY
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: auto
continue-on-error: true
- name: Upload code security reports
uses: actions/upload-artifact@v4
with:
name: code-security-reports
path: bandit-report.json
if: always()
docker-security:
name: Docker Security Scan
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/mcp-remote'
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
continue-on-error: true
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
if: always()
- name: Dockerfile linting
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
format: json
output-file: hadolint-report.json
continue-on-error: true
- name: Upload Docker security reports
uses: actions/upload-artifact@v4
with:
name: docker-security-reports
path: |
trivy-results.sarif
hadolint-report.json
if: always()
secrets-scan:
name: Secrets Detection
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified
continue-on-error: true
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true