Skip to content

Security scan

Security scan #640

name: Security scans
on:
workflow_dispatch:
schedule: # Execute tests at midnight every day
- cron: "0 0 * * *"
env:
SNYK_API: https://snyk.devtools.intel.com/api/v1
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
REPORT_DIRECTORY: reports
permissions:
contents: read
jobs:
security:
runs-on: [ubuntu-latest]
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Checkout repo
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Set up Python
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: 3.9
- name: Install package with dev requirements
# Install dependencies
run: |
python -m pip install --upgrade pip
pip install ".[dev]" --pre
- name: Create report directory
# Creates the temporary directory used to store the test reports
run: mkdir $REPORT_DIRECTORY
- name: Bandit scan
# Run Bandit scan
run: |
pip install bandit
bandit -r . --ini tox.ini -f 'txt' -o $REPORT_DIRECTORY/bandit.txt -v
- name: Trivy vulnerability scan
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # master
with:
scan-type: 'fs'
scan-ref: '.'
severity: 'CRITICAL'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
with:
sarif_file: 'trivy-results.sarif'
- name: Upload test reports
# Publish the test reports to github
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: ${{ always() }}
with:
name: test-reports
path: ${{ env.REPORT_DIRECTORY }}
- name: Clean up artifact directories
# Remove temporary report directory
if: ${{ always() }}
run: |
rm -r $REPORT_DIRECTORY