-
Notifications
You must be signed in to change notification settings - Fork 0
135 lines (115 loc) · 3.75 KB
/
security-scan.yml
File metadata and controls
135 lines (115 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Security Scanning
on:
pull_request:
branches: [ main, develop ]
push:
branches: [ main, develop ]
schedule:
# Run weekly security scans
- cron: '0 0 * * 1'
permissions:
contents: read
security-events: write
jobs:
security-scan:
name: Security Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: 'pip'
- name: Install security tools
run: |
python -m pip install --upgrade pip
pip install --quiet \
bandit>=1.7.0 \
safety>=3.0.0 \
pip-audit>=2.6.0
- name: Run Bandit security scan
run: |
echo "Running Bandit security scan..."
# Generate JSON report first
bandit -r app/ -f json -o bandit-report.json -c .bandit -ll || true
echo ""
echo "=== Bandit Security Scan Results ==="
# Run for human-readable output
bandit -r app/ -c .bandit -ll || BANDIT_EXIT=$?
# Check if there are high/critical severity issues
if [ -f bandit-report.json ]; then
HIGH_SEVERITY=$(python3 << 'EOF'
import json
import sys
try:
with open('bandit-report.json', 'r') as f:
data = json.load(f)
high_issues = [
r for r in data.get('results', [])
if r.get('issue_severity') in ['HIGH', 'CRITICAL']
]
if high_issues:
print(f"Found {len(high_issues)} high/critical severity issues:")
for issue in high_issues[:5]: # Show first 5
print(f" - {issue.get('test_id')}: {issue.get('issue_text', '')[:80]}")
sys.exit(1)
else:
print("✅ No high/critical severity issues found.")
print("⚠️ Medium/low severity issues may exist - review the report above.")
sys.exit(0)
except Exception as e:
print(f"⚠️ Could not parse bandit report: {e}")
sys.exit(0)
EOF
)
if [ $? -eq 1 ]; then
echo "❌ High or critical severity security issues found. Please fix them."
exit 1
fi
else
echo "⚠️ Could not generate bandit report. Continuing..."
fi
- name: Check dependencies with Safety
run: |
echo "Checking for vulnerable dependencies with Safety..."
pip install -e ".[dev]"
safety check --json
safety check
- name: Audit dependencies with pip-audit
run: |
echo "Auditing dependencies with pip-audit..."
pip-audit --desc
continue-on-error: true
- name: Check for hardcoded secrets
run: |
echo "Checking for hardcoded secrets..."
# Use git-secrets or similar pattern matching
SECRET_PATTERNS=(
"AKIA[0-9A-Z]{16}" # AWS Access Key
"sk_live_[0-9a-zA-Z]{32}" # Stripe Live Key
"sk_test_[0-9a-zA-Z]{32}" # Stripe Test Key
"AIza[0-9A-Za-z_-]{35}" # Google API Key
)
FOUND_SECRETS=false
for pattern in "${SECRET_PATTERNS[@]}"; do
if git grep -iE "$pattern" -- ':!tests/*' ':!*.md' ':!*.txt'; then
echo "⚠️ Potential secret detected: $pattern"
FOUND_SECRETS=true
fi
done
if [ "$FOUND_SECRETS" = true ]; then
echo "❌ Potential secrets detected. Please review and remove."
exit 1
fi
echo "✅ No hardcoded secrets detected"
continue-on-error: false
- name: Upload security reports
uses: actions/upload-artifact@v4
if: always()
with:
name: security-reports
path: |
bandit-report.json
retention-days: 30