-
Notifications
You must be signed in to change notification settings - Fork 16
147 lines (130 loc) Β· 5.43 KB
/
security-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Security Scan
on:
pull_request_target:
types: [opened, synchronize, reopened]
branches: [main]
permissions:
contents: read
pull-requests: write
issues: write
checks: write
security-events: write
statuses: write
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout PR
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Cache pip packages
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install bandit safety
- name: Run Security Scan
id: security_scan
run: |
# Run bandit recursively on all Python files
echo "Running Bandit security scan..."
bandit -r . -f txt -o bandit-results.txt || true
# Run Safety check on requirements
if [ -f "requirements.txt" ]; then
echo "Checking dependencies with Safety..."
safety scan -r requirements.txt --output text > safety-results.txt || true
fi
# Combine results
echo "π Security Scan Results" > security-scan-results.txt
echo "=========================" >> security-scan-results.txt
echo "" >> security-scan-results.txt
if [ -f "bandit-results.txt" ]; then
echo "Bandit Scan Results:" >> security-scan-results.txt
echo "-------------------" >> security-scan-results.txt
cat bandit-results.txt >> security-scan-results.txt
echo "" >> security-scan-results.txt
fi
if [ -f "safety-results.txt" ]; then
echo "Dependency Check Results:" >> security-scan-results.txt
echo "-----------------------" >> security-scan-results.txt
cat safety-results.txt >> security-scan-results.txt
fi
# Check for critical issues
if grep -iE "Severity\:\ High|Severity\:\ Critical" bandit-results.txt > /dev/null 2>&1; then
echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
elif [ -f "safety-results.txt" ] && grep -iE "critical" safety-results.txt > /dev/null 2>&1; then
echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
else
echo "vulnerabilities_found=false" >> $GITHUB_OUTPUT
fi
- name: Create comment body
id: create-comment
if: always()
run: |
if [ -f security-scan-results.txt ]; then
SCAN_RESULTS=$(cat security-scan-results.txt)
if [ "${{ steps.security_scan.outputs.vulnerabilities_found }}" == "true" ]; then
echo 'comment_body<<EOF' >> $GITHUB_ENV
echo '## π Security Scan Results' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo "$SCAN_RESULTS" >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo 'βοΈ **Critical vulnerabilities detected. Please review and address these security issues before merging.**' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo '### Next Steps:' >> $GITHUB_ENV
echo '1. Review each critical finding above and fix them according to OWASP top 10 mitigations.' >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
else
echo 'comment_body<<EOF' >> $GITHUB_ENV
echo '## π Security Scan Results' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo "$SCAN_RESULTS" >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo 'β
**No critical security issues detected.**' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo 'The code has passed all critical security checks.' >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
fi
else
echo 'comment_body<<EOF' >> $GITHUB_ENV
echo '## π Security Scan Results' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo 'β οΈ **Error: The security scan failed to complete. Please review the workflow logs for more information.**' >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
fi
- name: Comment PR
uses: peter-evans/create-or-update-comment@v3
if: always()
with:
issue-number: ${{ github.event.pull_request.number }}
body: ${{ env.comment_body }}
- name: Upload scan artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: security-scan-results
path: |
security-scan-results.txt
bandit-results.txt
safety-results.txt
retention-days: 5
- name: Fail if vulnerabilities found
if: steps.security_scan.outputs.vulnerabilities_found == 'true'
run: |
echo "::error::Critical security vulnerabilities were detected. Please review the findings and address them before merging."
exit 1