Security #32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: "0 4 * * 1" | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| bandit: | |
| name: Bandit (SAST) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| - run: pip install bandit | |
| - run: bandit -r src/ -f screen -ll | |
| semgrep: | |
| name: Semgrep (OWASP rulesets) | |
| runs-on: ubuntu-latest | |
| container: | |
| image: semgrep/semgrep | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: semgrep --config=p/python --config=p/security-audit --config=p/owasp-top-ten --error --severity ERROR --severity WARNING src/ | |
| pip-audit: | |
| name: pip-audit (dependency CVEs) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| # Upgrade pip first so the runner's own pip version is not flagged | |
| # (the audit targets the project's dependency tree, not the toolchain). | |
| - run: pip install --upgrade pip pip-audit | |
| - run: pip-audit --strict | |
| gitleaks: | |
| name: Gitleaks (secrets) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # Use the gitleaks CLI directly: the gitleaks-action requires a paid | |
| # license for organization repositories, the open-source CLI does not. | |
| - name: Install gitleaks | |
| run: curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks | |
| - name: Scan git history for secrets | |
| run: gitleaks git . --redact --verbose | |
| codeql: | |
| name: CodeQL (semantic SAST) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python | |
| queries: security-extended,security-and-quality | |
| - uses: github/codeql-action/analyze@v3 |