@@ -2,10 +2,10 @@ name: CI Build
22on :
33 push :
44 branches :
5- - main
5+ - ci_test
66 pull_request :
77 branches :
8- - main
8+ - ci_test
99jobs :
1010 pre-commit-run :
1111 runs-on : ubuntu-latest
@@ -53,3 +53,118 @@ jobs:
5353name : Unit tests
5454 run : |
5555 pytest --cov=. tests/
56+
57+ detect_secrets :
58+ name : IBM detect-secrets
59+ runs-on : ubuntu-latest
60+ steps :
61+ - uses : actions/checkout@v4
62+ - name : Install prerequisites
63+ run : sudo apt-get update && sudo apt-get install -y jq diffutils
64+ - name : Install IBM detect-secrets
65+
66+ run : |
67+ python3 -m pip install --upgrade pip
68+ python3 -m pip install --upgrade "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
69+ name : Scan repository & write snapshot
70+ run : |
71+ detect-secrets scan > .secrets.new
72+ name : Fail if new secrets appear vs baseline
73+
74+ run : |
75+ list_secrets() { jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$1" | sort; }
76+ if ! diff <(list_secrets .secrets.baseline) <(list_secrets .secrets.new) >&2; then
77+ echo "❌ Detected new secrets compared to baseline" >&2
78+ exit 1
79+ fi
80+
81+ - name : Upload scan artifacts (for triage)
82+ if : always()
83+ uses : actions/upload-artifact@v4
84+ with :
85+ name : detect-secrets-artifacts
86+ path : .secrets.new
87+
88+ codeql :
89+ name : CodeQL (Python)
90+ runs-on : ubuntu-latest
91+ steps :
92+ - uses : actions/checkout@v4
93+ - uses : github/codeql-action/init@v3
94+ with :
95+ languages : python
96+ - uses : github/codeql-action/autobuild@v3
97+ - uses : github/codeql-action/analyze@v3
98+ with :
99+ category : " /language:python"
100+
101+
102+
103+ semgrep :
104+ name : Semgrep (p/default rules)
105+ runs-on : ubuntu-latest
106+ steps :
107+ - uses : actions/checkout@v4
108+ - name : Install Semgrep
109+ run : pip install semgrep
110+ - name : Semgrep scan (PR diff-aware)
111+ if : ${{ github.event_name == 'pull_request' }}
112+ run : semgrep --config=p/default --error --baseline-commit "${{ github.event.pull_request.base.sha }}" .
113+ - name : Semgrep scan (full)
114+ if : ${{ github.event_name != 'pull_request' }}
115+ run : semgrep --config=p/default --error .
116+
117+ bandit :
118+ name : Bandit (Python)
119+ runs-on : ubuntu-latest
120+ steps :
121+ - uses : actions/checkout@v4
122+ - uses : actions/setup-python@v5
123+ with :
124+ python-version : " 3.11"
125+ - name : Install Bandit
126+ run : pip install bandit
127+ - name : Run Bandit
128+ run : bandit -ll -ii -r gridfm-graphkit -f json -o bandit-report.json
129+
130+ - name : Upload artifact
131+ if : always()
132+ uses : actions/upload-artifact@v4
133+ with :
134+ name : bandit-report
135+ path : bandit-report.json
136+
137+ pip_audit :
138+ name : pip-audit (deps)
139+ runs-on : ubuntu-latest
140+ steps :
141+ - uses : actions/checkout@v4
142+ - uses : actions/setup-python@v5
143+ with :
144+ python-version : " 3.11"
145+ - name : Install package (editable) and dev/test extras if present
146+ run : |
147+ python -m pip install --upgrade pip
148+ pip install -e .[dev,test] || pip install -e .
149+ name : Run pip-audit
150+ uses : pypa/gh-action-pip-audit@v1.1.0
151+
152+ trivy_repo :
153+ name : Trivy (repo scan)
154+ runs-on : ubuntu-latest
155+ steps :
156+ - uses : actions/checkout@v4
157+ - name : Run Trivy filesystem scan
158+ uses : aquasecurity/trivy-action@0.33.1
159+ with :
160+ scan-type : ' fs'
161+ scan-ref : ' .'
162+ format : ' sarif'
163+ output : ' trivy-results.sarif'
164+ severity : ' HIGH,CRITICAL'
165+ ignore-unfixed : true
166+ - name : Upload SARIF to Code Scanning
167+ uses : github/codeql-action/upload-sarif@v3
168+ with :
169+ sarif_file : trivy-results.sarif
170+
0 commit comments