Skip to content
Security Scan

ci(deps): bump docker/setup-buildx-action from 3 to 4 #206

Sign in to view logs

ci(deps): bump docker/setup-buildx-action from 3 to 4

ci(deps): bump docker/setup-buildx-action from 3 to 4 #206

Workflow file for this run

.github/workflows/security-scan.yml at faedd70
# Security Scanning Workflow
# Runs additional security checks on PRs and scheduled scans
name: Security Scan
on:
pull_request:
branches: [ "main" ]
push:
branches: [ "main" ]
schedule:
# Run weekly on Mondays at 10:00 AM UTC
- cron: '0 10 * * 1'
workflow_dispatch:
jobs:
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' && github.repository == 'neuromechanist/hed-bot'
# Note: Requires GitHub Advanced Security (not available on free tier)
# This job will be skipped unless you have GHAS enabled
continue-on-error: true
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
comment-summary-in-pr: always
continue-on-error: true
python-security:
name: Python Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.12'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install safety bandit
- name: Run Safety (dependency vulnerabilities)
run: |
pip install -e .
safety check --json || true
continue-on-error: true
- name: Run Bandit (code security issues)
run: |
bandit -r src/ -f json -o bandit-report.json || true
bandit -r src/ -f screen
continue-on-error: true
- name: Upload Bandit report
uses: actions/upload-artifact@v6
if: always()
with:
name: bandit-security-report
path: bandit-report.json
docker-security:
name: Docker Image Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Build Docker image
run: |
docker build -f deploy/Dockerfile -t hed-bot:security-scan .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'hed-bot:security-scan'
format: 'table'
severity: 'CRITICAL,HIGH'
continue-on-error: true
- name: Run Trivy for SARIF report
uses: aquasecurity/trivy-action@master
with:
image-ref: 'hed-bot:security-scan'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
continue-on-error: true
- name: Upload Trivy results to GitHub Security
# Only upload if this is a public repo or has GHAS enabled
if: github.event.repository.visibility == 'public'
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
continue-on-error: true
- name: Upload Trivy report as artifact
uses: actions/upload-artifact@v6
if: always()
with:
name: trivy-security-report
path: trivy-results.sarif
secrets-scan:
name: Secrets Scan
runs-on: ubuntu-latest
# Only run on pull requests to avoid BASE/HEAD same commit error on push to main
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0 # Full history for better detection
- name: TruffleHog Secrets Scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.pull_request.base.sha }}
head: ${{ github.event.pull_request.head.sha }}
extra_args: --only-verified
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [python-security, docker-security, secrets-scan]
if: always()
steps:
- name: Security Scan Complete
run: |
echo "Security scans completed!"
echo "Review the results in the Actions tab and Security tab."
echo ""
echo "Scans performed:"
echo " - Dependency vulnerabilities (Safety)"
echo " - Code security issues (Bandit)"
echo " - Docker image vulnerabilities (Trivy)"
echo " - Secret detection (TruffleHog)"