Skip to content
Security Scanning

add quickstart to code interpreter #6

Sign in to view logs

add quickstart to code interpreter

add quickstart to code interpreter #6

Workflow file for this run

.github/workflows/security-scanning.yml at d880078
name: Security Scanning
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 12 * * 1' # Weekly on Monday
permissions:
contents: read
security-events: write
jobs:
bandit:
name: Bandit Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install uv
uses: astral-sh/setup-uv@v3
- name: Create virtual environment
run: uv venv
- name: Install Bandit
run: |
source .venv/bin/activate
uv pip install bandit[toml]
- name: Run Bandit
run: |
source .venv/bin/activate
bandit -r src/ -f json -o bandit-results.json || true
- name: Upload Bandit results
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-results
path: bandit-results.json
safety:
name: Safety Dependency Check
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install uv
uses: astral-sh/setup-uv@v3
- name: Create virtual environment
run: uv venv
- name: Install safety
run: |
source .venv/bin/activate
uv pip install safety
- name: Generate requirements
run: |
source .venv/bin/activate
uv pip compile pyproject.toml -o requirements.txt || echo "Failed to compile requirements"
- name: Run safety check
run: |
source .venv/bin/activate
safety check -r requirements.txt --json > safety-results.json || true
- name: Upload safety results
uses: actions/upload-artifact@v4
if: always()
with:
name: safety-results
path: safety-results.json
trufflehog:
name: TruffleHog Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/[email protected]
with:
path: ./
base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
extra_args: --debug --only-verified