Skip to content

Commit 82454d5

Browse files
Harsh SrivastavaHarsh Srivastava
Harsh Srivastava
authored and
Harsh Srivastava
committed
added python sast and dependabot
1 parent 80c44f1 commit 82454d5

File tree

2 files changed

+320
-0
lines changed

2 files changed

+320
-0
lines changed

.github/dependabot.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
version: 2
2+
updates:
3+
# Python dependencies (weekly updates)
4+
- package-ecosystem: "pip"
5+
directory: "/"
6+
schedule:
7+
interval: "weekly"
8+
target-branch: "soc2"
9+
open-pull-requests-limit: 5
10+
labels:
11+
- "security"
12+
13+
- package-ecosystem: "pip"
14+
directory: "/pf9watcher"
15+
schedule:
16+
interval: "weekly"
17+
target-branch: "soc2"
18+
open-pull-requests-limit: 5
19+
labels:
20+
- "security"

.github/workflows/python-sast.yml

Lines changed: 300 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,300 @@
1+
name: Python Security & Linting
2+
'on':
3+
push:
4+
branches:
5+
- soc2
6+
pull_request:
7+
branches:
8+
- soc2
9+
jobs:
10+
setup:
11+
name: Shared Setup
12+
runs-on: ubuntu-latest
13+
outputs:
14+
python-version: '3.10'
15+
steps:
16+
- name: Checkout Code
17+
uses: actions/checkout@v3
18+
- name: Export Python Version
19+
run: echo "python-version=3.10" >> $GITHUB_OUTPUT
20+
bandit_scan:
21+
name: Bandit Security Scan (Full)
22+
needs: setup
23+
runs-on: ubuntu-latest
24+
continue-on-error: true
25+
outputs:
26+
bandit-high-found: ${{ steps.scan.outputs.bandit_high_found }}
27+
exit_with_failure: ${{ steps.scan.outputs.exit_with_failure }}
28+
steps:
29+
- name: Checkout Code
30+
uses: actions/checkout@v3
31+
- name: Set up Python
32+
uses: actions/setup-python@v4
33+
with:
34+
python-version: '${{ needs.setup.outputs.python-version }}'
35+
- name: Install Bandit
36+
run: pip install bandit jq
37+
- name: Run Full Bandit Scan
38+
id: scan
39+
run: |
40+
echo "🚨 Running full Bandit scan..."
41+
mkdir -p tmp
42+
bandit -r . --severity-level medium -f json -o tmp/bandit_output.json || true
43+
echo -e "\n🔍 Human-readable Bandit output:\n"
44+
bandit -r . --severity-level medium || true
45+
cat tmp/bandit_output.json || echo "{}"
46+
count=$(jq '.results | map(select(.issue_severity == "HIGH")) | length' tmp/bandit_output.json || echo 0)
47+
48+
if [[ "$count" -gt 0 ]]; then
49+
echo "bandit_high_found=true" >> "$GITHUB_OUTPUT"
50+
echo "❌ High severity issues found."
51+
echo "exit_with_failure=true" >> "$GITHUB_OUTPUT"
52+
else
53+
echo "bandit_high_found=false" >> "$GITHUB_OUTPUT"
54+
echo "exit_with_failure=false" >> "$GITHUB_OUTPUT"
55+
fi
56+
# run: "echo \"\U0001F6A8 Running full Bandit scan...\"\nmkdir -p tmp\nbandit -r . --severity-level medium -f json -o tmp/bandit_output.json || true\necho -e \"\\n\U0001F50D Human-readable Bandit output:\\n\"\nbandit -r . --severity-level medium || true\ncat tmp/bandit_output.json || echo \"{}\"\ncount=$(jq '.results | map(select(.issue_severity == \"HIGH\")) | length' tmp/bandit_output.json || echo 0)\necho \"bandit_high_found=$([[ $count -gt 0 ]] && echo true || echo false)\" >> $GITHUB_OUTPUT\n"
57+
- name: Upload Bandit Report
58+
uses: actions/upload-artifact@v4
59+
with:
60+
name: bandit-json
61+
path: tmp/bandit_output.json
62+
63+
- name: Fail Job If Vulnerabilities Found
64+
if: ${{ steps.scan.outputs.exit_with_failure == 'true' }}
65+
run: exit 1
66+
auto-pr:
67+
name: Create Pull Request if High Vulnerabilities Found
68+
needs:
69+
- bandit_scan
70+
if: ${{ needs.bandit_scan.outputs.bandit-high-found == 'true' }}
71+
runs-on: ubuntu-latest
72+
permissions:
73+
contents: write
74+
pull-requests: write
75+
steps:
76+
- name: Checkout Code
77+
uses: actions/checkout@v3
78+
79+
- name: Download Bandit Report
80+
uses: actions/download-artifact@v4
81+
with:
82+
name: bandit-json
83+
path: tmp
84+
85+
- name: Generate PR Body with High Severity Bandit Results
86+
run: |
87+
echo "# 🚨 Bandit Scan Report" > tmp/pr-body.md
88+
if [[ -f tmp/bandit_output.json ]]; then
89+
jq -r '.results[]
90+
| select(.issue_severity == "HIGH")
91+
| "* File: \(.filename)\n • Line: \(.line_number)\n • Severity: \(.issue_severity)\n • Confidence: \(.issue_confidence)\n • Issue: \(.issue_text)\n"' \
92+
tmp/bandit_output.json >> tmp/pr-body.md
93+
else
94+
echo "❌ Bandit report not found or scan failed." >> tmp/pr-body.md
95+
fi
96+
97+
- name: Commit Bandit Alert Log (Optional)
98+
run: |
99+
if [[ -f tmp/bandit_output.json ]]; then
100+
jq -r '.results[]
101+
| select(.issue_severity == "HIGH")
102+
| "### 🚨 High Severity Issue\n```\nFile: \(.filename)\nLine: \(.line_number)\nSeverity: \(.issue_severity)\nConfidence: \(.issue_confidence)\nIssue: \(.issue_text)\n```\n"' \
103+
tmp/bandit_output.json > .bandit-alert.log || true
104+
105+
git config user.name github-actions
106+
git config user.email github-actions@github.com
107+
git add -f .bandit-alert.log || true
108+
git commit -m "chore: bandit security alert log" || true
109+
fi
110+
111+
- name: Create Pull Request
112+
uses: peter-evans/create-pull-request@v5
113+
with:
114+
commit-message: 'chore: issues detected by Bandit (all severities)'
115+
title: 'chore: auto PR for Bandit scan'
116+
body-path: tmp/pr-body.md
117+
branch: auto/bandit-security-scan
118+
base: soc2
119+
delete-branch: true
120+
121+
ruff-lint-and-pr:
122+
name: Ruff Lint & Auto PR
123+
needs: setup
124+
runs-on: ubuntu-latest
125+
permissions:
126+
contents: write
127+
pull-requests: write
128+
129+
steps:
130+
- name: Checkout code
131+
uses: actions/checkout@v3
132+
133+
- name: Set up Python
134+
uses: actions/setup-python@v4
135+
with:
136+
python-version: ${{ needs.setup.outputs.python-version }}
137+
138+
- name: Install Ruff
139+
run: pip install ruff
140+
141+
- name: Run Ruff
142+
id: ruff
143+
run: |
144+
echo "🔍 Running Ruff Lint..."
145+
ruff check . --select E,F,I > ruff_output.txt || true
146+
cat ruff_output.txt
147+
if [ -s ruff_output.txt ]; then
148+
echo "ruff_issues=true" >> "$GITHUB_OUTPUT"
149+
else
150+
echo "ruff_issues=false" >> "$GITHUB_OUTPUT"
151+
fi
152+
153+
- name: Create PR if Issues Found
154+
if: ${{ steps.ruff.outputs.ruff_issues == 'true' }}
155+
uses: peter-evans/create-pull-request@v5
156+
with:
157+
commit-message: 'chore: fix ruff lint issues'
158+
title: 'chore: Ruff Lint Issues Found'
159+
body: |
160+
## ⚠️ Ruff Lint Issues Found
161+
See `.ruff_output.txt` for full details.
162+
branch: auto/ruff-lint-issues
163+
base: atherton
164+
add-paths: |
165+
ruff_output.txt
166+
167+
- name: Fail job if issues found
168+
if: ${{ steps.ruff.outputs.ruff_issues == 'true' }}
169+
run: |
170+
echo "❌ Ruff lint issues found — failing job."
171+
exit 1
172+
173+
# trivy_security_scan:
174+
# runs-on: ubuntu-latest
175+
# steps:
176+
# - name: Checkout Code
177+
# uses: actions/checkout@v3
178+
# - name: Install Trivy
179+
# run: >
180+
# sudo apt update
181+
182+
# sudo apt install wget -y
183+
184+
# wget -O- https://aquasecurity.github.io/trivy-repo/deb/public.key |
185+
# sudo tee /etc/apt/trusted.gpg.d/trivy.asc
186+
187+
# echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release
188+
# -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
189+
190+
# sudo apt update
191+
# sudo apt install -y trivy
192+
# - name: Scan Code Dependencies
193+
# run: 'trivy fs --scanners vuln,config --exit-code 1 --severity HIGH,CRITICAL .'
194+
195+
trivy_security_scan_and_pr:
196+
name: Trivy Security Scan & Auto PR
197+
needs: setup
198+
runs-on: ubuntu-latest
199+
permissions:
200+
contents: write # allow committing alert log
201+
pull-requests: write # allow opening PR
202+
outputs:
203+
trivy_issues_found: ${{ steps.scan.outputs.trivy_issues_found }}
204+
steps:
205+
- name: Checkout Code
206+
uses: actions/checkout@v3
207+
208+
- name: Install Trivy
209+
run: |
210+
sudo apt update
211+
sudo apt install wget -y
212+
wget -qO- https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo tee /etc/apt/trusted.gpg.d/trivy.asc
213+
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
214+
sudo apt update
215+
sudo apt install -y trivy jq
216+
217+
- name: Run Trivy Filesystem Scan
218+
id: scan
219+
run: |
220+
set -euo pipefail
221+
echo "🛡️ Running Trivy scan (HIGH/CRITICAL)..."
222+
mkdir -p tmp
223+
trivy fs --format json --severity HIGH,CRITICAL --output tmp/trivy.json .
224+
[[ -f tmp/trivy.json ]] || echo '{"Results":[]}' > tmp/trivy.json
225+
226+
# Safely exit if Results are missing or empty
227+
if ! jq -e '.Results and (.Results | length > 0)' tmp/trivy.json >/dev/null; then
228+
echo "ℹ️ No scan results available — likely no supported files found."
229+
echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT"
230+
exit 0
231+
fi
232+
count=$(jq -e '
233+
(.Results // []) # safe default
234+
| map(.Vulnerabilities? // []) # ? prevents error if field missing
235+
| add
236+
| map(select(.Severity=="HIGH" or .Severity=="CRITICAL"))
237+
| length
238+
' tmp/trivy.json)
239+
if [[ "$count" -gt 0 ]]; then
240+
echo "trivy_issues_found=true" >> "$GITHUB_OUTPUT"
241+
echo "❌ Vulnerabilities found: $count"
242+
else
243+
echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT"
244+
echo "✅ No HIGH/CRITICAL vulnerabilities found"
245+
fi
246+
247+
- name: Upload Trivy Report
248+
uses: actions/upload-artifact@v4
249+
with:
250+
name: trivy-json
251+
path: tmp/trivy.json
252+
253+
# Fail the job to block merge, but continue workflow so PR can be created
254+
- name: Set exit code if issues
255+
if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }}
256+
run: exit 1
257+
continue-on-error: true
258+
259+
- name: Generate PR Body
260+
if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }}
261+
run: |
262+
echo "# 🛡️ Trivy Scan Report" > tmp/pr-body.md
263+
jq -r '
264+
(.Results // [])
265+
| .[] # each result
266+
| .Target as $file
267+
| (.Vulnerabilities? // [])
268+
| map(select(.Severity=="HIGH" or .Severity=="CRITICAL"))
269+
| .[]
270+
| "* File: \($file)\n • Vulnerability ID: \(.VulnerabilityID)\n • Pkg: \(.PkgName) \(.InstalledVersion)\n • Severity: \(.Severity)\n • Title: \(.Title)\n"
271+
' tmp/trivy.json >> tmp/pr-body.md
272+
273+
- name: Commit Trivy Alert Log (optional)
274+
if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }}
275+
run: |
276+
jq -r '
277+
(.Results // [])
278+
| .[]
279+
| .Target as $file
280+
| (.Vulnerabilities? // [])
281+
| map(select(.Severity=="HIGH" or .Severity=="CRITICAL"))
282+
| .[]
283+
| "### 🛡️ Critical/High Vulnerability\n```\nFile: \($file)\nVulnerabilityID: \(.VulnerabilityID)\nPackage: \(.PkgName) \(.InstalledVersion)\nSeverity: \(.Severity)\nTitle: \(.Title)\n```\n"
284+
' tmp/trivy.json > .trivy-alert.log || true
285+
286+
git config user.name github-actions
287+
git config user.email github-actions@github.com
288+
git add -f .trivy-alert.log || true
289+
git commit -m "chore: trivy security alert log" || true
290+
291+
- name: Create Pull Request
292+
if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }}
293+
uses: peter-evans/create-pull-request@v5
294+
with:
295+
commit-message: 'chore: vulnerabilities detected by Trivy (HIGH/CRITICAL)'
296+
title: 'chore: auto PR for Trivy security scan'
297+
body-path: tmp/pr-body.md
298+
branch: auto/trivy-security-scan
299+
base: soc2
300+
delete-branch: true

0 commit comments

Comments
 (0)