migrate from staging #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| - cron: '0 12 * * 1' # Weekly on Monday | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| bandit: | |
| name: Bandit Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v3 | |
| - name: Create virtual environment | |
| run: uv venv | |
| - name: Install Bandit | |
| run: | | |
| source .venv/bin/activate | |
| uv pip install bandit[toml] | |
| - name: Run Bandit | |
| run: | | |
| source .venv/bin/activate | |
| bandit -r src/ -f json -o bandit-results.json || true | |
| - name: Upload Bandit results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: bandit-results | |
| path: bandit-results.json | |
| safety: | |
| name: Safety Dependency Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v3 | |
| - name: Create virtual environment | |
| run: uv venv | |
| - name: Install safety | |
| run: | | |
| source .venv/bin/activate | |
| uv pip install safety | |
| - name: Generate requirements | |
| run: | | |
| source .venv/bin/activate | |
| uv pip compile pyproject.toml -o requirements.txt || echo "Failed to compile requirements" | |
| - name: Run safety check | |
| run: | | |
| source .venv/bin/activate | |
| safety check -r requirements.txt --json > safety-results.json || true | |
| - name: Upload safety results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: safety-results | |
| path: safety-results.json | |
| trufflehog: | |
| name: TruffleHog Secret Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/[email protected] | |
| with: | |
| path: ./ | |
| base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} | |
| head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
| extra_args: --debug --only-verified |