python-project-blueprint/.github/workflows/security.yml at main · Pymetheus/python-project-blueprint · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Security Scan

on:
  pull_request:
    branches:
      - main
# Uncomment to enable Git Flow workflow
#      - develop
#      - release/**
  schedule:
    - cron: '0 0 * * 1' # Every Monday at midnight
  workflow_dispatch: {}

permissions:
  actions: read
  contents: read
  security-events: write

env:
  PYTHON_VERSION: "3.12"

jobs:
  snyk-security-scan:
    name: Snyk Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install Snyk CLI
        uses: snyk/actions/setup@master

      - name: Install Snyk Python dependencies
        run: |
          pip install -e . --group dev
          pip freeze > requirements.txt

      - name: Run Snyk for Open Source Vulnerabilities (OSS)
        run: |
          snyk test \
            --file=requirements.txt \
            --package-manager=pip \
            --org=${{ secrets.SNYK_ORG_ID }} \
            --sarif \
            --sarif-file-output=snyk-oss.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        continue-on-error: true

      - name: Run Snyk Code (SAST)
        run: snyk code test --sarif > snyk-code.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload SARIF as build artifact
        uses: actions/upload-artifact@v7
        with:
          name: snyk-results
          path: |
            snyk-code.sarif
            snyk-oss.sarif

      # --- Upload Snyk SARIF to GitHub Security Dashboard ONLY available on public repos---
      #- name: Upload SARIF to GitHub Security
      #  uses: github/codeql-action/upload-sarif@v4
      #  with:
      #    sarif_file: snyk-code.sarif

  bandit-sast:
    name: Bandit Static Application Security Testing
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install uv and cache dependencies
        uses: astral-sh/setup-uv@v7
        with:
          enable-cache: true
          cache-dependency-glob: |
            pyproject.toml
            uv.lock

      - name: Install project dependencies
        run: |
          uv lock
          uv sync

      - name: Run Bandit security linter
        run: uv run bandit -r src/ -f json -o bandit-report.json

      - name: Upload Bandit results
        if: always()
        uses: actions/upload-artifact@v7
        with:
          name: bandit-report
          path: bandit-report.json

  secrets-scan:
    name: Secrets Detection
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: TruffleHog Secret Scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: ${{ github.event.pull_request.head.sha }}