Security scan #704
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Security scan" | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| push: | |
| branches: | |
| - main | |
| - 'releases/**' | |
| permissions: {} | |
| jobs: | |
| Trivy: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Python | |
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
| with: | |
| python-version: "3.10" | |
| - name: Install dependencies | |
| run: python -m pip install pip-tools | |
| - name: Freeze dependencies | |
| run: | | |
| mkdir -p trivy_input/base | |
| pip-compile -o trivy_input/base/requirements.txt requirements/requirements.txt | |
| mkdir -p trivy_input/docs | |
| pip-compile -o trivy_input/docs/requirements.txt requirements/requirements-docs.txt | |
| mkdir -p trivy_input/notebooks | |
| pip-compile -o trivy_input/notebooks/requirements.txt requirements/requirements-notebooks.txt | |
| mkdir -p trivy_input/develop | |
| pip-compile -o trivy_input/develop/requirements.txt requirements/requirements-dev.txt | |
| - name: Run Trivy Scan (vuln) | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: trivy_input | |
| scanners: vuln | |
| output: trivy-results-vuln.txt | |
| - name: Run Trivy Scan (dockerfile and secrets) | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 | |
| if: always() | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| scanners: misconfig,secret | |
| output: trivy-results-misconfig.txt | |
| skip-setup-trivy: true | |
| - name: Upload Trivy results | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
| if: always() | |
| with: | |
| name: trivy-results | |
| path: '${{ github.workspace }}/trivy-results-*' | |
| retention-days: 7 | |
| - name: Upload deps list | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
| with: | |
| name: python-deps-list | |
| path: '${{ github.workspace }}/trivy_input' | |
| retention-days: 7 | |
| Bandit-all: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Python | |
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
| with: | |
| python-version: "3.10" | |
| - name: Install Bandit | |
| run: pip install bandit | |
| - name: Bandit scan (report) | |
| run: bandit --ini tox.ini -f html -o bandit-results.html -r --exit-zero . # report generation only | |
| - name: Upload Bandit artifact | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
| if: always() | |
| with: | |
| name: bandit-results | |
| path: bandit-results.html | |
| retention-days: 7 | |
| Bandit-high: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Python | |
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
| with: | |
| python-version: "3.10" | |
| - name: Install Bandit | |
| run: pip install bandit | |
| - name: Bandit scan (high severity) | |
| run: bandit --ini tox.ini -r -lll . | |
| CodeQL: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: python | |
| build-mode: none | |
| - language: actions # to scan workflows | |
| build-mode: none | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| - name: Generate CodeQL Report | |
| uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| template: report | |
| outputDir: codeql-${{ matrix.language }} | |
| - name: Rename Report | |
| shell: bash | |
| continue-on-error: true | |
| run: | | |
| cd codeql-${{ matrix.language }} | |
| mv "report.pdf" "codeql-${{ matrix.language }}.pdf" | |
| - name: Upload Report | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
| with: | |
| name: codeql-${{ matrix.language }}-results | |
| path: codeql-${{ matrix.language }}/*.pdf | |
| retention-days: 7 | |
| Summarize: | |
| needs: [Trivy, Bandit-all, CodeQL] | |
| if: always() | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| egress-policy: audit | |
| # Create directory first | |
| - name: Create results directory | |
| run: mkdir -p all-results | |
| # Download artifacts with error handling | |
| - name: Download all results | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| continue-on-error: true # Don't fail if some tools didn't generate results | |
| with: | |
| pattern: "*-results" | |
| merge-multiple: true | |
| path: all-results | |
| # Only upload if there are files | |
| - name: Upload combined results | |
| if: hashFiles('all-results/**/*') != '' | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
| with: | |
| name: security-scan-results | |
| path: all-results | |
| retention-days: 7 |