Add comprehensive security scanning workflows for Python #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL Security Analysis" | |
| on: | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| branches: [ master ] | |
| schedule: | |
| # Run CodeQL analysis weekly on Mondays at 2 AM UTC | |
| - cron: '0 2 * * 1' | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 360 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'python' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # Override default queries to include security-extended for more comprehensive analysis | |
| queries: security-extended,security-and-quality | |
| - name: Setup Python 3.11 | |
| uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install tox setuptools wheel | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| upload: false # Don't upload to avoid conflict with default setup | |
| - name: Upload CodeQL results manually | |
| uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 | |
| if: always() | |
| with: | |
| sarif_file: /home/runner/work/aws-xray-sdk-python/results/python.sarif | |
| category: 'custom-codeql-analysis' | |
| dependency-scan: | |
| name: Python Dependency Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Python 3.11 | |
| uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install tox setuptools wheel | |
| - name: Install and run Safety | |
| continue-on-error: true | |
| run: | | |
| # Install Safety for Python dependency vulnerability scanning | |
| pip install safety==3.2.8 | |
| # Generate requirements from setup.py | |
| pip install -e . | |
| pip freeze > requirements-frozen.txt | |
| # Run Safety scan and generate JSON report | |
| safety check --json --output safety-results.json || echo "Safety scan completed" | |
| - name: Install and run pip-audit | |
| continue-on-error: true | |
| run: | | |
| # Install pip-audit for comprehensive Python package vulnerability scanning | |
| pip install pip-audit==2.7.3 | |
| # Run pip-audit and generate SARIF | |
| pip-audit --format=sarif --output=pip-audit-results.sarif . || echo "pip-audit scan completed" | |
| - name: Install and run Bandit | |
| continue-on-error: true | |
| run: | | |
| # Install Bandit for Python security linting | |
| pip install bandit[toml]==1.7.10 | |
| # Run Bandit security analysis and generate SARIF | |
| bandit -r aws_xray_sdk/ -f sarif -o bandit-results.sarif || echo "Bandit scan completed" | |
| - name: Upload pip-audit results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 | |
| if: always() && hashFiles('pip-audit-results.sarif') != '' | |
| with: | |
| sarif_file: pip-audit-results.sarif | |
| category: 'pip-audit' | |
| - name: Upload Bandit results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 | |
| if: always() && hashFiles('bandit-results.sarif') != '' | |
| with: | |
| sarif_file: bandit-results.sarif | |
| category: 'bandit-security' | |
| - name: Upload dependency reports | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| if: always() | |
| with: | |
| name: dependency-reports | |
| path: | | |
| safety-results.json | |
| pip-audit-results.sarif | |
| bandit-results.sarif | |
| requirements-frozen.txt | |
| security-scan: | |
| name: Python Security Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Python 3.11 | |
| uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install tox setuptools wheel | |
| pip install -e . | |
| - name: Run Semgrep security analysis | |
| continue-on-error: true | |
| run: | | |
| # Install Semgrep | |
| python -m pip install semgrep==1.88.0 | |
| # Run Semgrep with Python security rules | |
| semgrep --config=auto --sarif --output=semgrep-results.sarif . || echo "Semgrep scan completed" | |
| - name: Run Pylint security checks | |
| continue-on-error: true | |
| run: | | |
| # Install Pylint with security plugins | |
| pip install pylint==3.3.1 pylint-django==2.6.1 | |
| # Run Pylint with security-focused checks | |
| pylint --load-plugins=pylint.extensions.bad_builtin,pylint.extensions.check_elif,pylint.extensions.comparetozero,pylint.extensions.consider_ternary_expression,pylint.extensions.docparams,pylint.extensions.empty_comment,pylint.extensions.eq_without_hash,pylint.extensions.for_any_all,pylint.extensions.mccabe,pylint.extensions.no_self_use,pylint.extensions.overlapping_exceptions,pylint.extensions.private_import,pylint.extensions.redefined_loop_name,pylint.extensions.redefined_variable_type,pylint.extensions.set_membership,pylint.extensions.typing,pylint.extensions.while_used --output-format=json aws_xray_sdk/ > pylint-results.json || echo "Pylint scan completed" | |
| - name: Run mypy type checking | |
| continue-on-error: true | |
| run: | | |
| # Install mypy for static type checking | |
| pip install mypy==1.13.0 | |
| # Run mypy type checking (security-relevant for type safety) | |
| mypy aws_xray_sdk/ --ignore-missing-imports --json-report mypy-report || echo "mypy scan completed" | |
| - name: Upload Semgrep results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 | |
| if: always() && hashFiles('semgrep-results.sarif') != '' | |
| with: | |
| sarif_file: semgrep-results.sarif | |
| category: 'semgrep-security' | |
| - name: Upload security analysis reports | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| if: always() | |
| with: | |
| name: security-analysis-reports | |
| path: | | |
| semgrep-results.sarif | |
| pylint-results.json | |
| mypy-report/ |