HEDit/.github/workflows/security-scan.yml at faedd704b70a0aaa02d1c1f8b221812deee33d7e · Annotation-Garden/HEDit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# Security Scanning Workflow
# Runs additional security checks on PRs and scheduled scans

name: Security Scan

on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]
  schedule:
    # Run weekly on Mondays at 10:00 AM UTC
    - cron: '0 10 * * 1'
  workflow_dispatch:

jobs:
  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.repository == 'neuromechanist/hed-bot'
    # Note: Requires GitHub Advanced Security (not available on free tier)
    # This job will be skipped unless you have GHAS enabled
    continue-on-error: true
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: moderate
          comment-summary-in-pr: always
        continue-on-error: true

  python-security:
    name: Python Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.12'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install safety bandit

      - name: Run Safety (dependency vulnerabilities)
        run: |
          pip install -e .
          safety check --json || true
        continue-on-error: true

      - name: Run Bandit (code security issues)
        run: |
          bandit -r src/ -f json -o bandit-report.json || true
          bandit -r src/ -f screen
        continue-on-error: true

      - name: Upload Bandit report
        uses: actions/upload-artifact@v6
        if: always()
        with:
          name: bandit-security-report
          path: bandit-report.json

  docker-security:
    name: Docker Image Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Build Docker image
        run: |
          docker build -f deploy/Dockerfile -t hed-bot:security-scan .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'hed-bot:security-scan'
          format: 'table'
          severity: 'CRITICAL,HIGH'
        continue-on-error: true

      - name: Run Trivy for SARIF report
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'hed-bot:security-scan'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
        continue-on-error: true

      - name: Upload Trivy results to GitHub Security
        # Only upload if this is a public repo or has GHAS enabled
        if: github.event.repository.visibility == 'public'
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
        continue-on-error: true

      - name: Upload Trivy report as artifact
        uses: actions/upload-artifact@v6
        if: always()
        with:
          name: trivy-security-report
          path: trivy-results.sarif

  secrets-scan:
    name: Secrets Scan
    runs-on: ubuntu-latest
    # Only run on pull requests to avoid BASE/HEAD same commit error on push to main
    if: github.event_name == 'pull_request'
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0  # Full history for better detection

      - name: TruffleHog Secrets Scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.pull_request.base.sha }}
          head: ${{ github.event.pull_request.head.sha }}
          extra_args: --only-verified

  security-summary:
    name: Security Summary
    runs-on: ubuntu-latest
    needs: [python-security, docker-security, secrets-scan]
    if: always()
    steps:
      - name: Security Scan Complete
        run: |
          echo "Security scans completed!"
          echo "Review the results in the Actions tab and Security tab."
          echo ""
          echo "Scans performed:"
          echo "  - Dependency vulnerabilities (Safety)"
          echo "  - Code security issues (Bandit)"
          echo "  - Docker image vulnerabilities (Trivy)"
          echo "  - Secret detection (TruffleHog)"