Skip to content

CI - Security scans #761

CI - Security scans

CI - Security scans #761

name: CI - Security scans
on:
workflow_dispatch: {}
schedule:
- cron: "0 0 * * *"
pull_request:
paths:
- ".github/workflows/ci-security-scans.yml"
- "scripts/**"
- "docker/**"
- "**/pyproject.toml"
- ".snyk"
branches:
- main
concurrency:
group: ragstack-security-scans-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
snyk-ragstack-dev:
name: Security Scan / RAGStack dev
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: "Setup: Python 3.11"
uses: ./.github/actions/setup-python
- name: Run Snyk scan
id: snyk
uses: ./.github/actions/snyk-python-3.11
with:
token: ${{ secrets.SNYK_TOKEN }}
- name: Move snyk vulnerabilities file
if: ${{ always() }}
run: |
# cleanup snyk scan docker resources
sudo docker volume prune -f
sudo docker system prune -f
du -sh *
python -m pip install poetry>=1.7.1
mkdir -p snyk_reports
mv snyk-vuln.json snyk_reports/snyk-vuln.json
- name: Testspace deploy report
uses: ./.github/actions/deploy-testspace-report
if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
with:
report-type: snyk
token: ${{ secrets.TESTSPACE_TOKEN }}
report-file: snyk_reports
space: "RAGStack security scans - RAGStack dev"
snyk-ragstack-latest-release:
name: Security Scan / RAGStack latest
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Prepare requirements
run: |
echo "ragstack-ai" > requirements.txt
- name: Run Snyk scan
id: snyk
uses: ./.github/actions/snyk-python-3.11
with:
token: ${{ secrets.SNYK_TOKEN }}
args: --file=requirements.txt
- name: Move snyk vulnerabilities file
if: ${{ always() }}
run: |
mkdir -p snyk_reports
mv snyk-vuln.json snyk_reports/snyk-vuln.json
- name: "Setup: Python 3.11"
if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
uses: ./.github/actions/setup-python
- name: Testspace deploy report
uses: ./.github/actions/deploy-testspace-report
if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
with:
report-type: snyk
token: ${{ secrets.TESTSPACE_TOKEN }}
report-file: snyk_reports
space: "RAGStack security scans - RAGStack latest"