Security Scan #53

Workflow file for this run

.github/workflows/security-scan.yml at 743b4dd

	---
	name: Security Scan

	# yamllint disable=truthy
	on:
	push:
	branches: [main, feature/, hotfix/, release/, bugfix/, chore/, refactor/]
	pull_request:
	branches: [main]
	schedule:
	- cron: '17 2 * * 1'
	workflow_dispatch: {}
	# yamllint enable=truthy
	permissions:
	contents: read
	security-events: write # For uploading SARIF results

	jobs:
	security:
	runs-on: ubuntu-latest
	timeout-minutes: 20

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	persist-credentials: false

	- name: Setup Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.11'
	cache: 'pip'
	cache-dependency-path: requirements-dev.txt

	- name: Install dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y python3-distutils python3-venv build-essential \|\| true
	python -m pip install --upgrade pip
	pip install -r requirements-dev.txt
	pip install pip-audit

	- name: Bandit (JSON output)
	run: \|
	python -m bandit -r src \
	--severity-level medium \
	--confidence-level medium \
	-f json -o bandit-results.json \|\| true

	- name: Convert Bandit JSON to SARIF
	run: \|
	python - <<'PY'
	import json, sys, os
	j = 'bandit-results.json'
	s = 'bandit-results.sarif'
	if not os.path.exists(j) or os.path.getsize(j) == 0:
	print('No Bandit JSON results to convert; writing empty SARIF')
	open(s, 'w').write(json.dumps({"version": "2.1.0", "runs": []}))
	sys.exit(0)
	doc = json.load(open(j))
	tool = {
	'driver': {
	'name': 'bandit',
	'informationUri': 'https://bandit.readthedocs.io',
	'rules': [],
	}
	}
	rules_index = {}
	results = []
	for issue in doc.get('results', []):
	rule_id = issue.get('test_id', 'B000')
	if rule_id not in rules_index:
	rules_index[rule_id] = len(tool['driver']['rules'])
	tool['driver']['rules'].append({
	'id': rule_id,
	'shortDescription': {'text': issue.get('test_name', '')},
	'fullDescription': {'text': issue.get('issue_text', '')},
	'properties': {
	'severity': issue.get('issue_severity'),
	'confidence': issue.get('issue_confidence'),
	},
	})
	if issue.get('issue_severity') == 'HIGH':
	level = 'error'
	elif issue.get('issue_severity') == 'MEDIUM':
	level = 'warning'
	else:
	level = 'note'
	res = {
	'ruleId': rule_id,
	'level': level,
	'message': {'text': issue.get('issue_text')},
	'locations': [{
	'physicalLocation': {
	'artifactLocation': {'uri': issue.get('filename')},
	'region': {'startLine': issue.get('line_number')}
	}
	}]
	}
	results.append(res)
	sarif = {
	'version': '2.1.0',
	'$schema': 'https://json.schemastore.org/sarif-2.1.0.json',
	'runs': [{'tool': tool, 'results': results}],
	}
	open(s, 'w').write(json.dumps(sarif, indent=2))
	print('Wrote SARIF:', s)
	PY

	- name: Bandit (console)
	run: \|
	python -m bandit -r src \
	--severity-level medium \
	--confidence-level medium \|\| true

	- name: Upload Bandit SARIF results
	if: always()
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: bandit-results.sarif
	category: bandit

	- name: Pip Audit
	run: pip-audit -r requirements.txt -r requirements-dev.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Scan #53

Workflow file

Security Scan #53

Uh oh!

Workflow file for this run