55 lines
1.4 KiB
YAML
55 lines
1.4 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- beta
|
|
- dev
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
security-checks:
|
|
name: Security & Dependencies
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.11'
|
|
cache: 'pip'
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
pip install bandit safety
|
|
|
|
- name: Bandit security check
|
|
run: |
|
|
bandit -r src/ -f json -o bandit-report.json || true
|
|
bandit -r src/ -f txt || true
|
|
|
|
# Check for HIGH severity issues only
|
|
HIGH_COUNT=$(python3 -c "import json; data=json.load(open('bandit-report.json')); print(len([i for i in data['results'] if i['severity'] == 'HIGH']))")
|
|
if [ "$HIGH_COUNT" -gt 0 ]; then
|
|
echo "Found $HIGH_COUNT HIGH severity security issues"
|
|
exit 1
|
|
fi
|
|
echo "No HIGH severity security issues found (LOW/MEDIUM are acceptable)"
|
|
|
|
- name: Safety check for dependencies
|
|
run: safety check --json || true
|
|
|
|
- name: Trivy vulnerability scan
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'table'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '1'
|