Add test file with potential vulnerabilities #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Set up Python | |
| uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.x' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install bandit | |
| - name: Create amir.py | |
| run: | | |
| cat << EOF > amir.py | |
| # (The entire content of amir.py as in the previous example) | |
| EOF | |
| - name: Run security scan | |
| run: python amir.py | |
| - name: Check for vulnerabilities | |
| id: check_vulnerabilities | |
| run: | | |
| if grep -q "Detected Vulnerabilities:" security-scan-results.txt; then | |
| echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT | |
| echo "SCAN_RESULT<<EOF" >> $GITHUB_ENV | |
| cat security-scan-results.txt >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| exit 1 | |
| else | |
| echo "vulnerabilities_found=false" >> $GITHUB_OUTPUT | |
| echo "SCAN_RESULT<<EOF" >> $GITHUB_ENV | |
| cat security-scan-results.txt >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| fi | |
| - name: Comment PR | |
| uses: actions/github-script@v6 | |
| if: always() | |
| with: | |
| github-token: ${{secrets.GITHUB_TOKEN}} | |
| script: | | |
| const fs = require('fs'); | |
| const scanResults = process.env.SCAN_RESULT; | |
| const vulnerabilitiesFound = '${{ steps.check_vulnerabilities.outputs.vulnerabilities_found }}' === 'true'; | |
| let comment = '## Security Scan Results\n\n```\n' + scanResults + '\n```\n\n'; | |
| comment += vulnerabilitiesFound | |
| ? '⛔ **Vulnerabilities detected. Please address these issues before merging.**' | |
| : '✅ **No vulnerabilities detected.**'; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: comment | |
| }); | |
| - name: Upload scan results | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: security-scan-results | |
| path: security-scan-results.txt | |
| - name: Fail if vulnerabilities found | |
| if: steps.check_vulnerabilities.outputs.vulnerabilities_found == 'true' | |
| run: exit 1 |