-
Notifications
You must be signed in to change notification settings - Fork 141
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #387 from pyupio/develop
Safety 2.0b5 patch
- Loading branch information
Showing
24 changed files
with
1,184 additions
and
94 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
name: Safety Action Build And Publish | ||
|
||
on: [push] | ||
|
||
env: | ||
DOCKER_BUILDKIT: 1 | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- name: Build image | ||
run: docker build -t pyupio/safety-v2-beta:latest . | ||
|
||
- name: Upload image | ||
env: | ||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | ||
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | ||
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin && | ||
docker push pyupio/safety-v2-beta:latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
######## Insecure test cases. All of these use insecure packages, and should fail - so they have `continue-on-error` | ||
######## set on the action step, and a further step to ensure the previous step failed (and actually fail if it _didn't_) | ||
name: Safety Action Insecure Tests | ||
|
||
on: [push] | ||
|
||
jobs: | ||
##### Auto mode tests | ||
### File scanning | ||
# Scans a requirements.txt in the repo; the simplest case. We contort one into existing for this test | ||
# case, to avoid confusion | ||
test-auto-requirements-txt-insecure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- run: cp tests/action/requirements.txt-insecure requirements.txt | ||
|
||
- uses: ./ | ||
id: scan-1 | ||
continue-on-error: true | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
- if: steps.scan-1.outcome != 'failure' || steps.scan-1.outputs.exit-code != '64' | ||
run: exit 1 | ||
|
||
# Same as above, but for a poetry lock file | ||
test-auto-poetry-insecure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- run: cp tests/action/poetry.lock-insecure poetry.lock && cp tests/action/pyproject.toml-insecure pyproject.toml | ||
|
||
- uses: ./ | ||
id: scan-2 | ||
continue-on-error: true | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
- if: steps.scan-2.outcome != 'failure' || steps.scan-2.outputs.exit-code != '64' | ||
run: exit 1 | ||
|
||
# Same as above, but for a Pipfile.lock | ||
test-auto-pipfile-insecure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- run: cp tests/action/Pipfile.lock-insecure Pipfile.lock | ||
|
||
- uses: ./ | ||
id: scan-3 | ||
continue-on-error: true | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
- if: steps.scan-3.outcome != 'failure' || steps.scan-3.outputs.exit-code != '64' | ||
run: exit 1 | ||
|
||
### Env scanning: | ||
### Scans the runner environment. Here, the Github action `actions/setup-python@v3` actually | ||
### installs things in the root VM that the action runs on; this is what gets scanned. | ||
test-auto-environment-insecure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- uses: actions/setup-python@v3 | ||
with: | ||
python-version: '3.10' | ||
architecture: 'x64' | ||
|
||
- run: python -m pip install -r tests/action/requirements.txt-insecure | ||
|
||
- uses: ./ | ||
id: scan-4 | ||
continue-on-error: true | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
- if: steps.scan-4.outcome != 'failure' || steps.scan-4.outputs.exit-code != '64' | ||
run: exit 1 | ||
|
||
### Docker scanning: | ||
### Scans a recently built Docker container. This uses a few heuristics, defined in entrypoint.sh | ||
test-auto-docker-insecure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- name: Build image | ||
run: DOCKER_BUILDKIT=1 docker build -t my-insecure-image tests/action/docker-insecure | ||
|
||
- uses: ./ | ||
id: scan-5 | ||
continue-on-error: true | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
- if: steps.scan-5.outcome != 'failure' || steps.scan-5.outputs.exit-code != '64' | ||
run: exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
######## Secure test cases. All of these use secure packages, and shouldn't fail. Easier than our insecure | ||
######## case, as we don't need anything else. We test against Safety and its deps here; if these tests | ||
######## fail, the pinned version might need to be updated. | ||
name: Safety Action Secure Tests | ||
|
||
on: [push] | ||
|
||
jobs: | ||
##### Auto mode tests | ||
### File scanning | ||
# Scans a requirements.txt in the repo; the simplest case. We contort one into existing for this test | ||
# case, to avoid confusion | ||
test-auto-requirements-txt-secure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- run: cp tests/action/requirements.txt-secure requirements.txt | ||
|
||
- uses: ./ | ||
id: scan-1 | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
# Same as above, but for a poetry lock file | ||
test-auto-poetry-secure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- run: cp tests/action/poetry.lock-secure poetry.lock && cp tests/action/pyproject.toml-secure pyproject.toml | ||
|
||
- uses: ./ | ||
id: scan-2 | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
# Same as above, but for a Pipfile.lock | ||
test-auto-pipfile-secure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- run: cp tests/action/Pipfile.lock-secure Pipfile.lock | ||
|
||
- uses: ./ | ||
id: scan-3 | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
### Env scanning: | ||
### Scans the runner environment. Here, the Github action `actions/setup-python@v3` actually | ||
### installs things in the root VM that the action runs on; this is what gets scanned. | ||
test-auto-environment-secure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- uses: actions/setup-python@v3 | ||
with: | ||
python-version: '3.10' | ||
architecture: 'x64' | ||
|
||
- run: python -m pip install -r tests/action/requirements.txt-secure | ||
|
||
- uses: ./ | ||
id: scan-4 | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} | ||
|
||
### Docker scanning: | ||
### Scans a recently built Docker container. This uses a few heuristics, defined in entrypoint.sh | ||
test-auto-docker-secure: | ||
runs-on: ubuntu-latest | ||
environment: main | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- name: Build image | ||
run: DOCKER_BUILDKIT=1 docker build -t my-secure-image tests/action/docker-secure | ||
|
||
- uses: ./ | ||
id: scan-5 | ||
with: | ||
api-key: ${{ secrets.SAFETY_API_KEY }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,21 @@ | ||
FROM python:3.6-slim | ||
RUN pip install --trusted-host pypi.python.org safety | ||
CMD ["python"] | ||
FROM python:3.10-slim | ||
|
||
# Don't use WORKDIR here as per Github's docs | ||
RUN mkdir /app | ||
|
||
RUN apt-get update && apt-get -y install docker.io jq && apt-get clean && rm -rf /var/lib/apt/lists/* | ||
|
||
# Install poetry and pipenv; used for converting their respective lockfile formats to generic requirements.txt | ||
RUN cd /app && python3 -m pip install poetry==1.1.13 pipenv==2022.6.7 | ||
|
||
# Install this project dependencies | ||
COPY . /app | ||
RUN cd /app && python3 -m pip install -e . | ||
|
||
ENV LC_ALL=C.UTF-8 | ||
ENV LANG=C.UTF-8 | ||
ENV PYTHONPATH="/app" | ||
|
||
LABEL safety_autodetect=ignore | ||
|
||
ENTRYPOINT ["/app/entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# action.yml | ||
name: 'pyupio/safety' | ||
description: 'Runs the Safety CLI against your project' | ||
inputs: | ||
api-key: | ||
description: 'PyUp API key' | ||
required: false | ||
default: '' | ||
scan: | ||
description: 'Scan mode to use. One of auto / docker / env / file (defaults to auto)' | ||
required: false | ||
default: 'auto' | ||
docker-image: | ||
description: 'Tag or hash of the Docker Image to scan (defaults to autodetecting the last built tagged image)' | ||
required: false | ||
default: '' | ||
requirements: | ||
description: 'Path of requirements file to scan (defaults to poetry.lock -> Pipfile.lock -> requirements.txt)' | ||
required: false | ||
default: '' | ||
continue-on-error: | ||
description: 'By default, Safety will exit with a non-zero exit code if it detects any vulnerabilities. Set this to yes / true to not error out.' | ||
required: false | ||
default: '' | ||
output-format: | ||
description: 'Output format for returned data. One of screen / text / json / bare (defaults to screen)' | ||
required: false | ||
default: 'screen' | ||
args: | ||
description: '[Advanced] Any additional arguments to pass to Safety' | ||
required: false | ||
default: '' | ||
|
||
outputs: | ||
cli-output: | ||
description: 'CLI output from Safety' | ||
exit-code: | ||
description: 'Exit code from Safety' | ||
|
||
runs: | ||
using: 'docker' | ||
image: 'docker://pyupio/safety-v2-beta:latest' | ||
env: | ||
SAFETY_API_KEY: ${{ inputs.api-key }} | ||
SAFETY_ACTION: true | ||
SAFETY_ACTION_SCAN: ${{ inputs.scan }} | ||
SAFETY_ACTION_DOCKER_IMAGE: ${{ inputs.docker-image }} | ||
SAFETY_ACTION_REQUIREMENTS: ${{ inputs.requirements }} | ||
SAFETY_ACTION_CONTINUE_ON_ERROR: ${{ inputs.continue-on-error }} | ||
SAFETY_ACTION_OUTPUT_FORMAT: ${{ inputs.output-format }} | ||
SAFETY_ACTION_ARGS: ${{ inputs.args }} | ||
SAFETY_ACTION_FORMAT: true | ||
COLUMNS: 120 | ||
|
||
branding: | ||
icon: 'lock' | ||
color: 'purple' |
Oops, something went wrong.