Merge pull request #387 from pyupio/develop

Safety 2.0b5 patch

.github/workflows/build.yml

@@ -0,0 +1,24 @@
+name: Safety Action Build And Publish
+
+on: [push]
+
+env:
+    DOCKER_BUILDKIT: 1
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build image
+        run: docker build -t pyupio/safety-v2-beta:latest .
+
+      - name: Upload image
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin &&
+             docker push pyupio/safety-v2-beta:latest

.github/workflows/test-insecure.yml

@@ -0,0 +1,113 @@
+######## Insecure test cases. All of these use insecure packages, and should fail - so they have `continue-on-error`
+######## set on the action step, and a further step to ensure the previous step failed (and actually fail if it _didn't_)
+name: Safety Action Insecure Tests
+
+on: [push]
+
+jobs:
+  ##### Auto mode tests
+  ### File scanning
+  # Scans a requirements.txt in the repo; the simplest case. We contort one into existing for this test
+  # case, to avoid confusion
+  test-auto-requirements-txt-insecure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - run: cp tests/action/requirements.txt-insecure requirements.txt
+
+      - uses: ./
+        id: scan-1
+        continue-on-error: true
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+      - if: steps.scan-1.outcome != 'failure' || steps.scan-1.outputs.exit-code != '64'
+        run: exit 1
+
+  # Same as above, but for a poetry lock file
+  test-auto-poetry-insecure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - run: cp tests/action/poetry.lock-insecure poetry.lock && cp tests/action/pyproject.toml-insecure pyproject.toml
+
+      - uses: ./
+        id: scan-2
+        continue-on-error: true
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+      - if: steps.scan-2.outcome != 'failure' || steps.scan-2.outputs.exit-code != '64'
+        run: exit 1
+
+  # Same as above, but for a Pipfile.lock
+  test-auto-pipfile-insecure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - run: cp tests/action/Pipfile.lock-insecure Pipfile.lock
+
+      - uses: ./
+        id: scan-3
+        continue-on-error: true
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+      - if: steps.scan-3.outcome != 'failure' || steps.scan-3.outputs.exit-code != '64'
+        run: exit 1
+
+  ### Env scanning:
+  ### Scans the runner environment. Here, the Github action `actions/setup-python@v3` actually
+  ### installs things in the root VM that the action runs on; this is what gets scanned.
+  test-auto-environment-insecure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-python@v3
+        with:
+          python-version: '3.10'
+          architecture: 'x64'
+
+      - run: python -m pip install -r tests/action/requirements.txt-insecure
+
+      - uses: ./
+        id: scan-4
+        continue-on-error: true
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+      - if: steps.scan-4.outcome != 'failure' || steps.scan-4.outputs.exit-code != '64'
+        run: exit 1
+
+  ### Docker scanning:
+  ### Scans a recently built Docker container. This uses a few heuristics, defined in entrypoint.sh
+  test-auto-docker-insecure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build image
+        run: DOCKER_BUILDKIT=1 docker build -t my-insecure-image tests/action/docker-insecure
+
+      - uses: ./
+        id: scan-5
+        continue-on-error: true
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+      - if: steps.scan-5.outcome != 'failure' || steps.scan-5.outputs.exit-code != '64'
+        run: exit 1

.github/workflows/test-secure.yml

@@ -0,0 +1,94 @@
+######## Secure test cases. All of these use secure packages, and shouldn't fail. Easier than our insecure
+######## case, as we don't need anything else. We test against Safety and its deps here; if these tests
+######## fail, the pinned version might need to be updated.
+name: Safety Action Secure Tests
+
+on: [push]
+
+jobs:
+  ##### Auto mode tests
+  ### File scanning
+  # Scans a requirements.txt in the repo; the simplest case. We contort one into existing for this test
+  # case, to avoid confusion
+  test-auto-requirements-txt-secure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - run: cp tests/action/requirements.txt-secure requirements.txt
+
+      - uses: ./
+        id: scan-1
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+  # Same as above, but for a poetry lock file
+  test-auto-poetry-secure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - run: cp tests/action/poetry.lock-secure poetry.lock && cp tests/action/pyproject.toml-secure pyproject.toml
+
+      - uses: ./
+        id: scan-2
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+  # Same as above, but for a Pipfile.lock
+  test-auto-pipfile-secure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - run: cp tests/action/Pipfile.lock-secure Pipfile.lock
+
+      - uses: ./
+        id: scan-3
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+  ### Env scanning:
+  ### Scans the runner environment. Here, the Github action `actions/setup-python@v3` actually
+  ### installs things in the root VM that the action runs on; this is what gets scanned.
+  test-auto-environment-secure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-python@v3
+        with:
+          python-version: '3.10'
+          architecture: 'x64'
+
+      - run: python -m pip install -r tests/action/requirements.txt-secure
+
+      - uses: ./
+        id: scan-4
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+
+  ### Docker scanning:
+  ### Scans a recently built Docker container. This uses a few heuristics, defined in entrypoint.sh
+  test-auto-docker-secure:
+    runs-on: ubuntu-latest
+    environment: main
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build image
+        run: DOCKER_BUILDKIT=1 docker build -t my-secure-image tests/action/docker-secure
+
+      - uses: ./
+        id: scan-5
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}

Dockerfile

@@ -1,3 +1,21 @@
-FROM python:3.6-slim
-RUN pip install --trusted-host pypi.python.org safety
-CMD ["python"]
+FROM python:3.10-slim
+
+# Don't use WORKDIR here as per Github's docs
+RUN mkdir /app
+
+RUN apt-get update && apt-get -y install docker.io jq && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install poetry and pipenv; used for converting their respective lockfile formats to generic requirements.txt
+RUN cd /app && python3 -m pip install poetry==1.1.13 pipenv==2022.6.7
+
+# Install this project dependencies
+COPY . /app
+RUN cd /app && python3 -m pip install -e .
+
+ENV LC_ALL=C.UTF-8
+ENV LANG=C.UTF-8
+ENV PYTHONPATH="/app"
+
+LABEL safety_autodetect=ignore
+
+ENTRYPOINT ["/app/entrypoint.sh"]

README.md

@@ -4,12 +4,28 @@
 [![Travis](https://img.shields.io/travis/pyupio/safety.svg)](https://travis-ci.org/pyupio/safety)
 [![Updates](https://pyup.io/repos/github/pyupio/safety/shield.svg)](https://pyup.io/repos/github/pyupio/safety/)
 
-Safety checks your installed Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
+Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
 
 By default it uses the open Python vulnerability database [Safety DB](https://github.com/pyupio/safety-db), which is **licensed for non-commercial use only**.
 
 For all commercial projects, Safely must be upgraded to use a [PyUp API](https://pyup.io) using the `--key` option.
 
+# Using Safety as a GitHub Action
+
+Safety can be integrated into your existing GitHub CI pipeline as an action. Just add the following as a step in your workflow YAML file after setting your `SAFETY_API_KEY` secret on GitHub under Settings -> Secrets -> Actions:
+
+```yaml
+      - uses: pyupio/safety@v1
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}
+```
+
+(Don't have an API Key? You can sign up for one with [PyUp](https://pyup.io).)
+
+This will run Safety in auto-detect mode which figures out your project's structure and the best configuration to run in automatically. It'll fail your CI pipeline if any vulnerable packages are found.
+
+If you have something more complicated such as a monorepo; or once you're finished testing, read the [Action Documentation](https://docs.pyup.io/docs/github-actions-safety) for more details on configuring Safety as an action.
+
 # Installation
 
 Install `safety` with pip. Keep in mind that we support only Python 3.6 and up.

action.yml

@@ -0,0 +1,57 @@
+# action.yml
+name: 'pyupio/safety'
+description: 'Runs the Safety CLI against your project'
+inputs:
+  api-key:
+    description: 'PyUp API key'
+    required: false
+    default: ''
+  scan:
+    description: 'Scan mode to use. One of auto / docker / env / file (defaults to auto)'
+    required: false
+    default: 'auto'
+  docker-image:
+    description: 'Tag or hash of the Docker Image to scan (defaults to autodetecting the last built tagged image)'
+    required: false
+    default: ''
+  requirements:
+    description: 'Path of requirements file to scan (defaults to poetry.lock -> Pipfile.lock -> requirements.txt)'
+    required: false
+    default: ''
+  continue-on-error:
+    description: 'By default, Safety will exit with a non-zero exit code if it detects any vulnerabilities. Set this to yes / true to not error out.'
+    required: false
+    default: ''
+  output-format:
+    description: 'Output format for returned data. One of screen / text / json / bare (defaults to screen)'
+    required: false
+    default: 'screen'
+  args:
+    description: '[Advanced] Any additional arguments to pass to Safety'
+    required: false
+    default: ''
+
+outputs:
+  cli-output:
+    description: 'CLI output from Safety'
+  exit-code:
+    description: 'Exit code from Safety'
+
+runs:
+  using: 'docker'
+  image: 'docker://pyupio/safety-v2-beta:latest'
+  env:
+    SAFETY_API_KEY: ${{ inputs.api-key }}
+    SAFETY_ACTION: true
+    SAFETY_ACTION_SCAN: ${{ inputs.scan }}
+    SAFETY_ACTION_DOCKER_IMAGE: ${{ inputs.docker-image }}
+    SAFETY_ACTION_REQUIREMENTS: ${{ inputs.requirements }}
+    SAFETY_ACTION_CONTINUE_ON_ERROR: ${{ inputs.continue-on-error }}
+    SAFETY_ACTION_OUTPUT_FORMAT: ${{ inputs.output-format }}
+    SAFETY_ACTION_ARGS: ${{ inputs.args }}
+    SAFETY_ACTION_FORMAT: true
+    COLUMNS: 120
+
+branding:
+  icon: 'lock'
+  color: 'purple'