add HTTPS bucket policy #1863
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| pull_request: | |
| branches: | |
| - '*' | |
| jobs: | |
| python-scan: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - {python-version: '3.10' } | |
| - {python-version: '3.12' } | |
| steps: | |
| - name: Git clone the repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install Python Modules | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -U bandit pip-audit setuptools . | |
| #pip install pipdeptree | |
| #pipdeptree | |
| - name: Bandit Scan | |
| run: | | |
| bandit -r . | |
| - name: Install cid-cmd | |
| run: | | |
| pip install -U . | |
| - name: Pip Audit | |
| run: | | |
| # GHSA-wfm5-v35h-vwf4 gitpython is a dependency of pip-audit not cid-cmd | |
| # GHSA-cwvm-v4w8-q58c gitpython is a dependency of pip-audit not cid-cmd | |
| # GHSA-4xh5-x5gv-qwph pip not cid-cmd | |
| # GHSA-pq67-6m6q-mj2v urllib3 <1.7 is a dep of boto3 need to wait till it updates to urllib3 2.5.0 | |
| # GHSA-2xpw-w6gg-jr37 GHSA-gm62-xv2j-4w53 - urllib3 | |
| # GHSA-38jv-5279-wg99 - urllib3 is a dep of boto3, conflicts with boto3 requirement | |
| pip-audit --ignore-vuln GHSA-wfm5-v35h-vwf4 \ | |
| --ignore-vuln GHSA-cwvm-v4w8-q58c \ | |
| --ignore-vuln GHSA-pq67-6m6q-mj2v \ | |
| --ignore-vuln GHSA-4xh5-x5gv-qwph \ | |
| --ignore-vuln GHSA-gm62-xv2j-4w53 \ | |
| --ignore-vuln GHSA-2xpw-w6gg-jr37 \ | |
| --ignore-vuln GHSA-38jv-5279-wg99 \ | |
| python-pylint-cid: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Git clone the repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.11' | |
| - name: Install cfn-lint | |
| run: | | |
| pip install pylint | |
| - name: PyLint | |
| run: | | |
| pylint ./cid/ | |
| cfn-scan-cid: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Git clone the repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: '3.1' | |
| - name: Install CFN tools | |
| run: | | |
| gem install cfn-nag | |
| - name: CFN Nag scan | |
| run: | | |
| cfn_nag_scan --input-path ./cfn-templates/cid-cfn.yml | |
| - name: Install cfn-lint | |
| run: | | |
| pip install cfn-lint | |
| - name: CFN Lint | |
| run: | | |
| cfn-lint ./cfn-templates/cid-cfn.yml | |
| cfn-scan-cid-admin-policies: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Git clone the repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: '3.1' | |
| - name: Install CFN tools | |
| run: | | |
| gem install cfn-nag | |
| - name: CFN Nag scan | |
| run: | | |
| cfn_nag_scan --input-path ./cfn-templates/cid-admin-policies.yaml | |
| - name: Install cfn-lint | |
| run: | | |
| pip install cfn-lint | |
| - name: CFN Lint | |
| run: | | |
| cfn-lint ./cfn-templates/cid-admin-policies.yaml | |
| terraform-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Git clone the repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.11' | |
| - name: Install checkov | |
| run: | | |
| pip install -U schema checkov | |
| - name: Checkov scan | |
| run: | | |
| checkov --directory ./terraform-modules |