47 lines
1011 B
YAML
47 lines
1011 B
YAML
name: Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- beta
|
|
- dev
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
security-checks:
|
|
name: Security & Dependencies
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.11'
|
|
cache: 'pip'
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
pip install bandit safety
|
|
|
|
- name: Bandit security check
|
|
run: |
|
|
bandit -r src/ -f json -o bandit-report.json || true
|
|
bandit -r src/ -f txt
|
|
|
|
- name: Safety check for dependencies
|
|
run: safety check --json || true
|
|
|
|
- name: Trivy vulnerability scan
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'table'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|