AP-24758: Added workflow to scan for cves in the project

dsaam94 · dsaam94 · commit 3aa14c2ac6cd · 2025-08-21T16:03:21.000Z
diff --git a/.github/scripts/parse_pixi_packages.py b/.github/scripts/parse_pixi_packages.py
@@ -0,0 +1,42 @@
+import json
+import sys
+from pathlib import Path
+
+
+def main() -> int:
+    pixi_json_path = Path("pixi-packages.json")
+
+    if not pixi_json_path.exists():
+        print("Could not analyze pixi packages: pixi-packages.json not found")
+        return 0
+
+    try:
+        with pixi_json_path.open("r", encoding="utf-8") as f:
+            data = json.load(f)
+
+        total_packages = 0
+        environments = []
+
+        if isinstance(data, dict):
+            for environment_name, environment_data in data.items():
+                environments.append(environment_name)
+                if (
+                    isinstance(environment_data, dict)
+                    and "packages" in environment_data
+                ):
+                    total_packages += len(environment_data["packages"])
+
+        print(f"- **Total packages:** {total_packages}")
+        print(f"- **Environments:** {environments}")
+
+    except Exception as error:  # noqa: BLE001
+        # Print a friendly message and exit successfully so the caller can choose how
+        # to handle it
+        print(f"Error analyzing packages: {error}")
+        return 0
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
@@ -0,0 +1,105 @@
+name: CVE Scan 
+run-name: Checking dependencies for vulnerabilities
+
+on:
+  pull_request:
+    branches: [ "main" ]
+  merge_group:
+    branches: [ "main" ]
+  schedule:
+    - cron: '21 6 * * 1'
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+        - info
+        - warning
+        - debug
+
+# review the right set of permissions        
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read 
+  # Write security summary on pr
+  pull-requests: write 
+
+# Requires setting up Advanced security settings including enabling the Dependency graph option.
+jobs:
+  dependency-scanner:
+    name: Dependency Scanner
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+          license-check: true
+          comment-summary-in-pr: always
+
+
+  pixi-packages:
+    name: Pixi Dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Pixi
+        uses: prefix-dev/setup-pixi@v0.8.1
+        with:
+          pixi-version: latest
+          cache: true
+
+      - name: Install dependencies
+        run: pixi install
+        continue-on-error: true
+
+      - name: List Pixi packages
+        run: |
+          echo "## 📦 Pixi Dependencies Analysis" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          
+          # List packages
+          echo "Extracting package information..."
+          pixi list --json > pixi-packages.json || true
+          
+          # Count packages and environments
+          if [ -f "pixi-packages.json" ]; then
+            python3 .github/scripts/parse_pixi_packages.py >> $GITHUB_STEP_SUMMARY || echo "Could not fetch pixi packages" >> $GITHUB_STEP_SUMMARY
+          fi
+        continue-on-error: true
+
+      - name: Upload Pixi results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: pixi-package-list
+          path: pixi-packages.json
+          retention-days: 1
+
+  security-summary:
+    name: Security Review Summary
+    runs-on: ubuntu-latest
+    needs: [dependency-scanner, pixi-packages]
+    if: always()
+    steps:
+      - name: Create security summary
+        run: |
+          echo "## 🔒 Dependency Security Review Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Tool | Status | Description |" >> $GITHUB_STEP_SUMMARY
+          echo "|------|--------|-------------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Dependency Review | ${{ needs.dependency-scanner.result }} | GitHub's dependency review for PRs |" >> $GITHUB_STEP_SUMMARY
+          echo "| Pixi Security Check | ${{ needs.pixi-packages.result }} | python packages used in the project |" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
