From bdac6f17190f5d2b3e22c8ebf3270202761dc4cb Mon Sep 17 00:00:00 2001 From: amberjblue Date: Thu, 14 Aug 2025 15:08:33 -0400 Subject: [PATCH 1/7] update security-scan.yaml --- .github/workflows/security-scan.yaml | 89 ++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 .github/workflows/security-scan.yaml diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml new file mode 100644 index 0000000..35157fb --- /dev/null +++ b/.github/workflows/security-scan.yaml @@ -0,0 +1,89 @@ +name: Security Scan + +on: + pull_request: + branches: [main] + push: + branches: [main] + workflow_dispatch: + +concurrency: + group: security-scan-${{ github.ref }} + cancel-in-progress: false + +jobs: + trivy-scan: + name: Trivy Scan Report + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read + steps: + - uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + scan-ref: . + format: sarif + output: trivy-results.sarif + severity: CRITICAL,HIGH,MEDIUM,LOW + exit-code: 0 + ignore-unfixed: false + vuln-type: os,library + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-results.sarif + category: trivy-security-scan + + trivy-gate: + name: Trivy Gate + needs: trivy-scan + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + - name: Check for critical and high vulnerabilities + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + scan-ref: . + format: table + severity: CRITICAL,HIGH + exit-code: 1 + ignore-unfixed: false + vuln-type: os,library + + bandit-scan: + name: Bandit + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Run Bandit Security Scan + uses: PyCQA/bandit-action@v1 + with: + targets: "." + exclude: "tests,docs" + + - name: Upload Bandit SARIF to Security tab + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: bandit-security-scan From 37467501eb7afc7f7b1d46c4e03b2b20f719416c Mon Sep 17 00:00:00 2001 From: amberjblue Date: Thu, 14 Aug 2025 15:40:19 -0400 Subject: [PATCH 2/7] update security-scan.yaml --- .github/workflows/security-scan.yaml | 107 ++++++++++++++++----------- 1 file changed, 62 insertions(+), 45 deletions(-) diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 35157fb..c59fc30 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -1,72 +1,72 @@ name: Security Scan on: - pull_request: - branches: [main] push: branches: [main] + pull_request: + branches: [main] workflow_dispatch: -concurrency: - group: security-scan-${{ github.ref }} - cancel-in-progress: false - jobs: trivy-scan: - name: Trivy Scan Report + name: Trivy runs-on: ubuntu-latest permissions: contents: read security-events: write actions: read + steps: - - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + if [ -f pyproject.toml ]; then + pip install -e ".[dev]" + fi - name: Run Trivy vulnerability scan uses: aquasecurity/trivy-action@0.28.0 with: - scan-type: fs - scan-ref: . - format: sarif - output: trivy-results.sarif - severity: CRITICAL,HIGH,MEDIUM,LOW - exit-code: 0 - ignore-unfixed: false - vuln-type: os,library + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + exit-code: '0' + + - name: Check for critical and high vulnerabilities + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + exit-code: '1' - - name: Upload SARIF + - name: Upload Trivy scan results to Security tab uses: github/codeql-action/upload-sarif@v3 if: always() with: - sarif_file: trivy-results.sarif - category: trivy-security-scan - - trivy-gate: - name: Trivy Gate - needs: trivy-scan - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@v4 - - name: Check for critical and high vulnerabilities - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: fs - scan-ref: . - format: table - severity: CRITICAL,HIGH - exit-code: 1 - ignore-unfixed: false - vuln-type: os,library + sarif_file: 'trivy-results.sarif' + category: 'trivy-security-scan' bandit-scan: name: Bandit runs-on: ubuntu-latest permissions: - contents: read security-events: write actions: read + contents: read + checks: write + steps: - uses: actions/checkout@v4 @@ -74,16 +74,33 @@ jobs: uses: actions/setup-python@v5 with: python-version: "3.11" + cache: "pip" + + - name: Create virtual environment + run: | + python -m pip install --upgrade pip + python -m venv .venv + + - name: Install dependencies + run: | + source .venv/bin/activate + pip install -e ".[dev]" + + - name: Install Bandit + run: | + source .venv/bin/activate + pip install bandit[sarif] - name: Run Bandit Security Scan uses: PyCQA/bandit-action@v1 with: targets: "." - exclude: "tests,docs" + exclude: "tests" - - name: Upload Bandit SARIF to Security tab - if: always() - uses: github/codeql-action/upload-sarif@v3 + - name: Upload SARIF as artifact + uses: actions/upload-artifact@v4 with: - sarif_file: results.sarif - category: bandit-security-scan + name: bandit-sarif-results + path: results.sarif + retention-days: 30 + continue-on-error: true \ No newline at end of file From c87df5e9fc0a57a6a1356ae61690781a3676adfb Mon Sep 17 00:00:00 2001 From: amberjblue Date: Thu, 14 Aug 2025 15:41:41 -0400 Subject: [PATCH 3/7] test grouping --- .github/workflows/security-scan.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index c59fc30..3dc3863 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -7,6 +7,11 @@ on: branches: [main] workflow_dispatch: +concurrency: + group: security-${{ github.ref }} + cancel-in-progress: false + + jobs: trivy-scan: name: Trivy From a24eec02ef4120aee6ff936f8c6b2f393b91b2e3 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Thu, 14 Aug 2025 15:43:38 -0400 Subject: [PATCH 4/7] update security-scan.yaml --- .github/workflows/security-scan.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 3dc3863..c59fc30 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -7,11 +7,6 @@ on: branches: [main] workflow_dispatch: -concurrency: - group: security-${{ github.ref }} - cancel-in-progress: false - - jobs: trivy-scan: name: Trivy From 4957e1475b57f01f8d0d155267ec61524b463b19 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Mon, 18 Aug 2025 12:13:10 -0400 Subject: [PATCH 5/7] Pin actions to SHA --- .github/workflows/security-scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index c59fc30..73a37ae 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -33,7 +33,7 @@ jobs: fi - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@77137e9dc3ab1b329b7c8a38c2eb7475850a14e8 with: scan-type: 'fs' scan-ref: '.' @@ -43,7 +43,7 @@ jobs: exit-code: '0' - name: Check for critical and high vulnerabilities - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@77137e9dc3ab1b329b7c8a38c2eb7475850a14e8 with: scan-type: 'fs' scan-ref: '.' @@ -92,7 +92,7 @@ jobs: pip install bandit[sarif] - name: Run Bandit Security Scan - uses: PyCQA/bandit-action@v1 + uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f with: targets: "." exclude: "tests" From 515c227a84f6d37675e91697b03e059d5e3d3f77 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Mon, 18 Aug 2025 12:17:32 -0400 Subject: [PATCH 6/7] enable pip cache for Trivy job --- .github/workflows/security-scan.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 73a37ae..6d22334 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -24,6 +24,7 @@ jobs: uses: actions/setup-python@v5 with: python-version: '3.11' + cache: "pip" - name: Install dependencies run: | From 5318088bc1f03c4c959d3df98c078f85129655eb Mon Sep 17 00:00:00 2001 From: amberjblue Date: Mon, 18 Aug 2025 12:20:23 -0400 Subject: [PATCH 7/7] Upload bandit results to security tab --- .github/workflows/security-scan.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 6d22334..82cd72b 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -98,6 +98,14 @@ jobs: targets: "." exclude: "tests" + - name: Upload SARIF results to GitHub Security tab + if: github.ref == 'refs/heads/main' + uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe + with: + sarif_file: results.sarif + category: bandit-security-scan + continue-on-error: true + - name: Upload SARIF as artifact uses: actions/upload-artifact@v4 with: