Skip to content

Commit

Permalink
Add security scanners to Github Actions
Browse files Browse the repository at this point in the history
  • Loading branch information
Vitaliy Saveliev committed Jun 24, 2024
1 parent 089f1b2 commit 121df55
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 5 deletions.
61 changes: 61 additions & 0 deletions .github/workflows/secure.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Secure

on: push

jobs:
# Sample GitHub Actions:
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
semgrep:
runs-on: ubuntu-latest
container:
image: semgrep/semgrep
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- run: semgrep scan --sarif --output=semgrep.sarif --error
env:
SEMGREP_RULES: >-
p/bandit
p/command-injection
p/comment
p/cwe-top-25
p/default
p/gitlab
p/gitlab-bandit
p/gitleaks
p/insecure-transport
p/owasp-top-ten
p/python
p/r2c-best-practices
p/r2c-bug-scan
p/r2c-security-audit
p/secrets
p/security-audit
p/xss
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/aquasecurity/trivy-action
trivy:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action
with:
scan-type: 'fs'
format: 'sarif'
output: 'trivy.sarif'
exit-code: '1'
severity: 'CRITICAL,HIGH'
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy.sarif
if: always()
13 changes: 8 additions & 5 deletions .github/workflows/checks.yml → .github/workflows/verify.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,23 @@
name: Checks
name: Verify

on: push

jobs:
flake8:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.8'
- run: pip install -r requirements.txt -r test-requirements.txt
- run: flake8 .

pytest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.8'
- run: pip install -r requirements.txt -r test-requirements.txt
Expand Down

0 comments on commit 121df55

Please sign in to comment.