fix: Align CI security scanning with release pipeline to prevent release failures (#39)

coding-ai-assistant[bot] · florath · web-flow · commit e3f6fb855bc7 · 2025-11-20T16:08:21.000+01:00
This change ensures consistent security checking behavior between CI and release pipelines by making CI security scans fail on issues, matching the release pipeline's strict security requirements. Changes: - Remove JSON output mode from bandit scan to enable failure on issues - Remove '|| true' from safety check to enable failure on vulnerabilities - Add security-scan as required job dependency in notify job - Remove artifact archiving for security reports as scans now fail on issues This prevents code with security issues from passing CI but failing during release, improving developer experience and ensuring early issue detection. Fixes #21 Co-authored-by: florath-ai-assistant[bot] <Andreas.Florath@telekom.de>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -121,20 +121,11 @@ jobs:
 
     - name: Run bandit security scan
       run: |
-        bandit -r src/ -ll -f json -o bandit-report.json
-        echo "Bandit scan completed. Check bandit-report.json for details."
+        bandit -r src/ -ll
 
     - name: Run safety check
       run: |
-        safety check --json --output safety-report.json || true
-
-    - name: Archive security reports
-      uses: actions/upload-artifact@v4
-      with:
-        name: security-reports
-        path: |
-          bandit-report.json
-          safety-report.json
+        safety check
 
   build:
     name: Build Package
@@ -451,16 +442,16 @@ jobs:
     name: Notify
     runs-on: ubuntu-latest
     if: always()
-    needs: [lint-and-type-check, test, build, integration-tests, cross-platform-integration]
+    needs: [lint-and-type-check, test, security-scan, build, integration-tests, cross-platform-integration]
 
     steps:
     - name: Notify on success
-      if: ${{ needs.lint-and-type-check.result == 'success' && needs.test.result == 'success' && needs.build.result == 'success' && needs.cross-platform-integration.result == 'success' }}
+      if: ${{ needs.lint-and-type-check.result == 'success' && needs.test.result == 'success' && needs.security-scan.result == 'success' && needs.build.result == 'success' && needs.cross-platform-integration.result == 'success' }}
       run: |
         echo "✅ All checks passed!"
 
     - name: Notify on failure
-      if: ${{ needs.lint-and-type-check.result == 'failure' || needs.test.result == 'failure' || needs.build.result == 'failure' || needs.cross-platform-integration.result == 'failure' }}
+      if: ${{ needs.lint-and-type-check.result == 'failure' || needs.test.result == 'failure' || needs.security-scan.result == 'failure' || needs.build.result == 'failure' || needs.cross-platform-integration.result == 'failure' }}
       run: |
         echo "❌ Some checks failed!"
         exit 1
