Skip to content

Replace pickle with safer alternatives #24596

Replace pickle with safer alternatives

Replace pickle with safer alternatives #24596

name: Security Scans
on:
pull_request:
types: [opened, synchronize, labeled]
concurrency:
group: security-scans-${{ github.head_ref }} # head branch name
cancel-in-progress: true
jobs:
changes:
name: Check for file changes
runs-on: ubuntu-22.04
outputs:
backend: ${{ steps.filter.outputs.backend }}
docker: ${{ steps.filter.outputs.docker }}
docs: ${{ steps.filter.outputs.docs }}
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
id: filter
with:
token: ${{ secrets.GITHUB_TOKEN }}
filters: .github/change_filters.yml
trivy:
name: Detecting hardcoded secrets
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
with:
# Fetch all history for all tags and branches
fetch-depth: '0'
- name: Run Trivy vulnerability scanner
id: trivy
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2
continue-on-error: true
with:
format: 'table'
scan-type: 'fs'
exit-code: '1'
scanners: 'secret'
- name: Alert on secret finding
if: steps.trivy.outcome == 'failure'
uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844
with:
payload: |
{
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
- name: Fail build if a secret is found
if: steps.trivy.outcome == 'failure'
run: |
echo "=========================================================="
echo "| This build has failed because Trivy detected a secret. |"
echo "=========================================================="
echo "1. Check the step 'Run Trivy vulnerability scanner' for output to help you find the secret."
echo "2. If the finding is a false positive, add it as an entry to trivy-secret.yaml in the root of the repo to suppress the finding."
echo "3. If the finding is valid, the security team can help advise your next steps."
exit 1
bandit:
name: Detect python security issues
runs-on: ubuntu-22.04
needs: [changes]
steps:
- name: Checkout git repository 🕝
if: needs.changes.outputs.backend == 'true'
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
- name: Set up Python 3.10 🐍
if: needs.changes.outputs.backend == 'true'
uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
with:
python-version: '3.10'
- name: Read Poetry Version 🔢
if: needs.changes.outputs.backend == 'true'
run: |
echo "POETRY_VERSION=$(scripts/poetry-version.sh)" >> $GITHUB_ENV
shell: bash
- name: Install poetry 🦄
if: needs.changes.outputs.backend == 'true'
uses: Gr1N/setup-poetry@15821dc8a61bc630db542ae4baf6a7c19a994844 # v8
with:
poetry-version: ${{ env.POETRY_VERSION }}
- name: Load Poetry Cached Libraries ⬇
id: cache-poetry
if: needs.changes.outputs.backend == 'true'
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
with:
path: .venv
key: ${{ runner.os }}-poetry-${{ env.POETRY_VERSION }}-3.9-${{ hashFiles('**/poetry.lock') }}-${{ secrets.POETRY_CACHE_VERSION }}
restore-keys: ${{ runner.os }}-poetry-3.9
- name: Clear Poetry cache
if: steps.cache-poetry.outputs.cache-hit == 'true' && needs.changes.outputs.backend == 'true' && contains(github.event.pull_request.labels.*.name, 'tools:clear-poetry-cache-security-scans')
run: rm -r .venv
- name: Create virtual environment
if: (steps.cache-poetry.outputs.cache-hit != 'true' || contains(github.event.pull_request.labels.*.name, 'tools:clear-poetry-cache-security-scans')) && needs.changes.outputs.backend == 'true'
run: python -m venv create .venv
- name: Set up virtual environment
if: needs.changes.outputs.backend == 'true'
run: poetry config virtualenvs.in-project true
- name: Install Dependencies (Linux) 📦
if: needs.changes.outputs.backend == 'true'
run: make install
- name: Run Bandit 🔪
if: needs.changes.outputs.backend == 'true'
run: make lint-security