Skip to content
Safety Action Insecure Tests

Merge pull request #473 from pyupio/feat/allow-image-builds #111

Sign in to view logs

Merge pull request #473 from pyupio/feat/allow-image-builds

Merge pull request #473 from pyupio/feat/allow-image-builds #111

Workflow file for this run

.github/workflows/test-insecure.yml at 10df400
######## Insecure test cases. All of these use insecure packages, and should fail - so they have `continue-on-error`
######## set on the action step, and a further step to ensure the previous step failed (and actually fail if it _didn't_)
name: Safety Action Insecure Tests
on:
push:
branches: [main, develop]
jobs:
matrix:
runs-on: ubuntu-20.04
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v3
- id: set-matrix
run: |
TASKS=$(echo $(cat .github/workflows/gh-action-integration-matrix.json) | sed 's/ //g' )
echo "::set-output name=matrix::$TASKS"
##### Auto mode tests
### File scanning
# Scans a requirements.txt in the repo; the simplest case. We contort one into existing for this test
# case, to avoid confusion
test-auto-requirements-txt-insecure:
needs: [ matrix ]
runs-on: ubuntu-20.04
environment: main
strategy:
matrix:
safety: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ matrix.safety.version }}
- run: cp tests/action/requirements.txt-insecure requirements.txt
- uses: ./
id: scan-1
continue-on-error: true
with:
api-key: ${{ secrets.SAFETY_API_KEY }}
- if: steps.scan-1.outcome != 'failure' || steps.scan-1.outputs.exit-code != '64'
run: exit 1
# Same as above, but for a poetry lock file
test-auto-poetry-insecure:
needs: [ matrix ]
runs-on: ubuntu-20.04
environment: main
strategy:
matrix:
safety: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ matrix.safety.version }}
- run: cp tests/action/poetry.lock-insecure poetry.lock && cp tests/action/pyproject.toml-insecure pyproject.toml
- uses: ./
id: scan-2
continue-on-error: true
with:
api-key: ${{ secrets.SAFETY_API_KEY }}
- if: steps.scan-2.outcome != 'failure' || steps.scan-2.outputs.exit-code != '64'
run: exit 1
# Same as above, but for a Pipfile.lock
test-auto-pipfile-insecure:
needs: [ matrix ]
runs-on: ubuntu-20.04
environment: main
strategy:
matrix:
safety: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ matrix.safety.version }}
- run: cp tests/action/Pipfile.lock-insecure Pipfile.lock
- uses: ./
id: scan-3
continue-on-error: true
with:
api-key: ${{ secrets.SAFETY_API_KEY }}
- if: steps.scan-3.outcome != 'failure' || steps.scan-3.outputs.exit-code != '64'
run: exit 1
### Env scanning:
### Scans the runner environment. Here, the Github action `actions/setup-python@v3` actually
### installs things in the root VM that the action runs on; this is what gets scanned.
test-auto-environment-insecure:
needs: [ matrix ]
runs-on: ubuntu-20.04
environment: main
strategy:
matrix:
safety: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ matrix.safety.version }}
- uses: actions/setup-python@v3
with:
python-version: '3.10'
architecture: 'x64'
- run: python -m pip install -r tests/action/requirements.txt-insecure
- uses: ./
id: scan-4
continue-on-error: true
with:
api-key: ${{ secrets.SAFETY_API_KEY }}
- if: steps.scan-4.outcome != 'failure' || steps.scan-4.outputs.exit-code != '64'
run: exit 1
### Docker scanning:
### Scans a recently built Docker container. This uses a few heuristics, defined in entrypoint.sh
test-auto-docker-insecure:
needs: [ matrix ]
runs-on: ubuntu-20.04
environment: main
strategy:
matrix:
safety: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ matrix.safety.version }}
- name: Build image
run: DOCKER_BUILDKIT=1 docker build -t my-insecure-image tests/action/docker-insecure
- uses: ./
id: scan-5
continue-on-error: true
with:
api-key: ${{ secrets.SAFETY_API_KEY }}
- if: steps.scan-5.outcome != 'failure' || steps.scan-5.outputs.exit-code != '64'
run: exit 1