Simplify Bandit security scan logic #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | ||
| on: | ||
| pull_request: | ||
| branches: [ main, develop ] | ||
| push: | ||
| branches: [ main, develop ] | ||
| schedule: | ||
| # Run weekly security scans | ||
| - cron: '0 0 * * 1' | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| jobs: | ||
| security-scan: | ||
| name: Security Vulnerability Scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.11" | ||
| cache: 'pip' | ||
| - name: Install security tools | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install --quiet \ | ||
| bandit>=1.7.0 \ | ||
| safety>=3.0.0 \ | ||
| pip-audit>=2.6.0 | ||
| - name: Run Bandit security scan | ||
| run: | | ||
| echo "Running Bandit security scan..." | ||
| # Generate JSON report first | ||
| bandit -r app/ -f json -o bandit-report.json -c .bandit -ll || true | ||
| echo "" | ||
| echo "=== Bandit Security Scan Results ===" | ||
| # Run for human-readable output | ||
| bandit -r app/ -c .bandit -ll || BANDIT_EXIT=$? | ||
| # Check if there are high/critical severity issues | ||
| if [ -f bandit-report.json ]; then | ||
| HIGH_SEVERITY=$(python3 << 'EOF' | ||
| import json | ||
| import sys | ||
| try: | ||
| with open('bandit-report.json', 'r') as f: | ||
| data = json.load(f) | ||
| high_issues = [ | ||
| r for r in data.get('results', []) | ||
| if r.get('issue_severity') in ['HIGH', 'CRITICAL'] | ||
| ] | ||
| if high_issues: | ||
| print(f"Found {len(high_issues)} high/critical severity issues:") | ||
| for issue in high_issues[:5]: # Show first 5 | ||
| print(f" - {issue.get('test_id')}: {issue.get('issue_text', '')[:80]}") | ||
| sys.exit(1) | ||
| else: | ||
| print("✅ No high/critical severity issues found.") | ||
| print("⚠️ Medium/low severity issues may exist - review the report above.") | ||
| sys.exit(0) | ||
| except Exception as e: | ||
| print(f"⚠️ Could not parse bandit report: {e}") | ||
| sys.exit(0) | ||
| EOF | ||
| ) | ||
| if [ $? -eq 1 ]; then | ||
| echo "❌ High or critical severity security issues found. Please fix them." | ||
| exit 1 | ||
| fi | ||
| else | ||
| echo "⚠️ Could not generate bandit report. Continuing..." | ||
| fi | ||
| - name: Check dependencies with Safety | ||
| run: | | ||
| echo "Checking for vulnerable dependencies with Safety..." | ||
| pip install -e ".[dev]" | ||
| safety check --json | ||
| safety check | ||
| - name: Audit dependencies with pip-audit | ||
| run: | | ||
| echo "Auditing dependencies with pip-audit..." | ||
| pip-audit --desc | ||
| continue-on-error: true | ||
| - name: Check for hardcoded secrets | ||
| run: | | ||
| echo "Checking for hardcoded secrets..." | ||
| # Use git-secrets or similar pattern matching | ||
| SECRET_PATTERNS=( | ||
| "AKIA[0-9A-Z]{16}" # AWS Access Key | ||
| "sk_live_[0-9a-zA-Z]{32}" # Stripe Live Key | ||
| "sk_test_[0-9a-zA-Z]{32}" # Stripe Test Key | ||
| "AIza[0-9A-Za-z_-]{35}" # Google API Key | ||
| ) | ||
| FOUND_SECRETS=false | ||
| for pattern in "${SECRET_PATTERNS[@]}"; do | ||
| if git grep -iE "$pattern" -- ':!tests/*' ':!*.md' ':!*.txt'; then | ||
| echo "⚠️ Potential secret detected: $pattern" | ||
| FOUND_SECRETS=true | ||
| fi | ||
| done | ||
| if [ "$FOUND_SECRETS" = true ]; then | ||
| echo "❌ Potential secrets detected. Please review and remove." | ||
| exit 1 | ||
| fi | ||
| echo "✅ No hardcoded secrets detected" | ||
| continue-on-error: false | ||
| - name: Upload security reports | ||
| uses: actions/upload-artifact@v4 | ||
| if: always() | ||
| with: | ||
| name: security-reports | ||
| path: | | ||
| bandit-report.json | ||
| retention-days: 30 | ||
