Replace pickle with safer alternatives #24597
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Scans | |
on: | |
pull_request: | |
types: [opened, synchronize, labeled] | |
concurrency: | |
group: security-scans-${{ github.head_ref }} # head branch name | |
cancel-in-progress: true | |
jobs: | |
changes: | |
name: Check for file changes | |
runs-on: ubuntu-22.04 | |
outputs: | |
backend: ${{ steps.filter.outputs.backend }} | |
docker: ${{ steps.filter.outputs.docker }} | |
docs: ${{ steps.filter.outputs.docs }} | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 | |
id: filter | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
filters: .github/change_filters.yml | |
trivy: | |
name: Detecting hardcoded secrets | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
with: | |
# Fetch all history for all tags and branches | |
fetch-depth: '0' | |
- name: Run Trivy vulnerability scanner | |
id: trivy | |
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 | |
continue-on-error: true | |
with: | |
format: 'table' | |
scan-type: 'fs' | |
exit-code: '1' | |
scanners: 'secret' | |
- name: Alert on secret finding | |
if: steps.trivy.outcome == 'failure' | |
uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 | |
with: | |
payload: | | |
{ | |
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}" | |
} | |
} | |
] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
- name: Fail build if a secret is found | |
if: steps.trivy.outcome == 'failure' | |
run: | | |
echo "==========================================================" | |
echo "| This build has failed because Trivy detected a secret. |" | |
echo "==========================================================" | |
echo "1. Check the step 'Run Trivy vulnerability scanner' for output to help you find the secret." | |
echo "2. If the finding is a false positive, add it as an entry to trivy-secret.yaml in the root of the repo to suppress the finding." | |
echo "3. If the finding is valid, the security team can help advise your next steps." | |
exit 1 | |
bandit: | |
name: Detect python security issues | |
runs-on: ubuntu-22.04 | |
needs: [changes] | |
steps: | |
- name: Checkout git repository 🕝 | |
if: needs.changes.outputs.backend == 'true' | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
- name: Set up Python 3.10 🐍 | |
if: needs.changes.outputs.backend == 'true' | |
uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b | |
with: | |
python-version: '3.10' | |
- name: Read Poetry Version 🔢 | |
if: needs.changes.outputs.backend == 'true' | |
run: | | |
echo "POETRY_VERSION=$(scripts/poetry-version.sh)" >> $GITHUB_ENV | |
shell: bash | |
- name: Install poetry 🦄 | |
if: needs.changes.outputs.backend == 'true' | |
uses: Gr1N/setup-poetry@15821dc8a61bc630db542ae4baf6a7c19a994844 # v8 | |
with: | |
poetry-version: ${{ env.POETRY_VERSION }} | |
- name: Load Poetry Cached Libraries ⬇ | |
id: cache-poetry | |
if: needs.changes.outputs.backend == 'true' | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 | |
with: | |
path: .venv | |
key: ${{ runner.os }}-poetry-${{ env.POETRY_VERSION }}-3.9-${{ hashFiles('**/poetry.lock') }}-${{ secrets.POETRY_CACHE_VERSION }} | |
restore-keys: ${{ runner.os }}-poetry-3.9 | |
- name: Clear Poetry cache | |
if: steps.cache-poetry.outputs.cache-hit == 'true' && needs.changes.outputs.backend == 'true' && contains(github.event.pull_request.labels.*.name, 'tools:clear-poetry-cache-security-scans') | |
run: rm -r .venv | |
- name: Create virtual environment | |
if: (steps.cache-poetry.outputs.cache-hit != 'true' || contains(github.event.pull_request.labels.*.name, 'tools:clear-poetry-cache-security-scans')) && needs.changes.outputs.backend == 'true' | |
run: python -m venv create .venv | |
- name: Set up virtual environment | |
if: needs.changes.outputs.backend == 'true' | |
run: poetry config virtualenvs.in-project true | |
- name: Install Dependencies (Linux) 📦 | |
if: needs.changes.outputs.backend == 'true' | |
run: make install | |
- name: Run Bandit 🔪 | |
if: needs.changes.outputs.backend == 'true' | |
run: make lint-security |