-
Notifications
You must be signed in to change notification settings - Fork 27
80 lines (76 loc) · 2.3 KB
/
dependency.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
---
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
req-files:
runs-on: ubuntu-latest
outputs:
reqfiles: ${{ steps.get-files.outputs.REQLIST }}
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- id: get-files
run:
echo "REQLIST=$(find . -name 'requirements*.txt' -print | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
dependency-review:
needs: req-files
strategy:
matrix:
python: [ 3.7, 3.8, 3.9, "3.10" ]
os: [ubuntu-latest]
files: ${{ fromJSON(needs.req-files.outputs.reqfiles) }}
runs-on: ${{ matrix.os }}
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python }}
- name: Install pip-audit on non-Windows
run: |
pip install "pip-audit>=2.5.3"
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
- name: 'Pip Audit'
uses: pypa/[email protected]
with:
inputs: ${{ matrix.files }}
rust-files:
runs-on: ubuntu-latest
outputs:
rustfiles: ${{ steps.get-rust-files.outputs.RUSTLIST }}
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- id: get-rust-files
run:
echo "RUSTLIST=$(find . -type f -name "Cargo.toml" -exec dirname "{}" \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
rust_security_audit:
runs-on: ubuntu-latest
needs: rust-files
strategy:
matrix:
files: ${{ fromJSON(needs.rust-files.outputs.rustfiles) }}
steps:
- uses: actions/checkout@v3
- run: cd $GITHUB_WORKSPACE && mv ${{ matrix.files }}/* .
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
go_scan:
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- uses: actions/checkout@v3
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
args: '-no-fail -fmt sarif -out results.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif