chore(deps)(deps): bump actions/checkout from 4 to 5 #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audit | |
| # This workflow performs automated security audits | |
| # It checks for vulnerabilities and security issues in dependencies and code | |
| on: | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| jobs: | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v3 | |
| with: | |
| fail-on-severity: moderate | |
| python-security-scan: | |
| name: Python Security Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install security scanning tools | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install bandit safety pip-audit | |
| - name: Run Bandit (Security linter) | |
| run: | | |
| echo "Running Bandit security linter..." | |
| bandit -r . -ll -f json -o bandit-report.json || true | |
| bandit -r . -ll || echo "Bandit scan completed with findings" | |
| continue-on-error: true | |
| - name: Upload Bandit results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: bandit-security-report | |
| path: bandit-report.json | |
| - name: Run pip-audit (Dependency vulnerability scan) | |
| run: | | |
| echo "Running pip-audit..." | |
| # Create a temporary requirements file with the tools we use | |
| cat > temp_requirements.txt << 'EOF' | |
| pylint | |
| black | |
| mypy | |
| EOF | |
| pip-audit -r temp_requirements.txt || echo "pip-audit completed" | |
| continue-on-error: true | |
| - name: Run Safety (Dependency vulnerability check) | |
| run: | | |
| echo "Running Safety check..." | |
| # Check installed packages | |
| pip freeze > installed_packages.txt | |
| safety check -r installed_packages.txt --json > safety-report.json || true | |
| safety check -r installed_packages.txt || echo "Safety check completed" | |
| continue-on-error: true | |
| - name: Upload Safety results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: safety-security-report | |
| path: safety-report.json | |
| codeql-analysis: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'python' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v2 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| secret-scanning: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@v3.90.12 | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| workflow-security: | |
| name: Workflow Security Check | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Check workflow permissions | |
| run: | | |
| echo "Checking workflow files for security best practices..." | |
| # Check for workflows with broad permissions | |
| if grep -r "permissions:" .github/workflows/ | grep -q "write-all"; then | |
| echo "⚠ Warning: Found workflows with write-all permissions" | |
| grep -r "write-all" .github/workflows/ | |
| else | |
| echo "✓ No workflows with write-all permissions found" | |
| fi | |
| # Check for workflows with secrets in env | |
| if grep -r "secrets\." .github/workflows/ | grep -q "env:"; then | |
| echo "⚠ Warning: Found potential secret exposure in environment variables" | |
| else | |
| echo "✓ No obvious secret exposure in workflows" | |
| fi | |
| - name: Validate action.yml security | |
| run: | | |
| echo "Checking action.yml for security issues..." | |
| # Check if action uses composite and has proper shell specifications | |
| if grep -q "using: composite" action.yml; then | |
| echo "✓ Action uses composite type (secure)" | |
| if ! grep -q "shell: bash" action.yml; then | |
| echo "⚠ Warning: Some steps may not specify shell" | |
| else | |
| echo "✓ Shell specified for composite action steps" | |
| fi | |
| fi | |
| security-summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| needs: | |
| - python-security-scan | |
| - codeql-analysis | |
| - secret-scanning | |
| - workflow-security | |
| if: always() | |
| steps: | |
| - name: Summary | |
| run: | | |
| echo "🔒 Security Audit Summary" | |
| echo "" | |
| echo "Scans completed:" | |
| echo " ✓ Python security scan (Bandit, pip-audit, Safety)" | |
| echo " ✓ CodeQL analysis" | |
| echo " ✓ Secret scanning (TruffleHog)" | |
| echo " ✓ Workflow security check" | |
| echo "" | |
| if [ "${{ github.event_name }}" == "pull_request" ]; then | |
| echo " ✓ Dependency review" | |
| fi | |
| echo "" | |
| echo "Check job outputs and artifacts for detailed results." |