Skip to content
Security Scanning

Security Scanning #218

Sign in to view logs

Security Scanning

Security Scanning #218

Workflow file for this run

.github/workflows/security.yml at bdd16ad
name: Security Scanning
on:
schedule:
# Run security scans daily at midnight UTC
- cron: '0 0 * * *'
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-scan:
name: Comprehensive Security Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install bandit safety
- name: Run Bandit security scan
run: |
bandit -r src/ -f json -o bandit-report.json
bandit -r src/ -ll -i
continue-on-error: true
- name: Run Safety dependency check
run: |
safety check --json --output safety-report.json || true
safety check || true
continue-on-error: true
- name: Run security tests
run: |
pip install -e .
pytest tests/security -v --tb=short
continue-on-error: true
- name: Upload security reports
uses: actions/upload-artifact@v3
if: always()
with:
name: security-reports
path: |
bandit-report.json
safety-report.json
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: python
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3