Security - Dependency Scanning #88
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security - Dependency Scanning | |
| on: | |
| push: | |
| branches: [main, develop] | |
| paths: | |
| - 'requirements.txt' | |
| - 'pyproject.toml' | |
| - 'setup.cfg' | |
| - '.github/workflows/security-dependencies.yml' | |
| pull_request: | |
| branches: [main, develop] | |
| paths: | |
| - 'requirements.txt' | |
| - 'pyproject.toml' | |
| - 'setup.cfg' | |
| schedule: | |
| # Run daily at 2 AM UTC to catch newly disclosed vulnerabilities | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| jobs: | |
| dependency-check: | |
| name: Check for vulnerable dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| cache: 'pip' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install safety pip-audit | |
| - name: Run Safety check | |
| id: safety | |
| continue-on-error: true | |
| run: | | |
| echo "## Security Check Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Safety Check" >> $GITHUB_STEP_SUMMARY | |
| safety check --json 2>/dev/null || echo "No known vulnerabilities" | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| - name: Run pip-audit | |
| id: pip-audit | |
| continue-on-error: true | |
| run: | | |
| echo "### pip-audit Check" >> $GITHUB_STEP_SUMMARY | |
| pip-audit --desc --format json 2>/dev/null > /tmp/pip-audit.json || true | |
| pip-audit --desc 2>/dev/null || echo "No vulnerabilities found" | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| - name: Comment on PR with findings | |
| if: github.event_name == 'pull_request' && (steps.safety.outcome == 'failure' || steps.pip-audit.outcome == 'failure') | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: > | |
| ⚠️ **Dependency Security Warning** | |
| Vulnerable dependencies detected. Review the workflow logs | |
| and update packages. | |
| }) | |
| - name: Report vulnerability summary | |
| if: steps.safety.outcome == 'failure' || steps.pip-audit.outcome == 'failure' | |
| run: | | |
| echo "❌ Vulnerable dependencies found!" | |
| echo "Please update your dependencies:" | |
| echo " pip install --upgrade -r requirements.txt" | |
| exit 1 | |
| outdated-packages: | |
| name: Check for outdated packages | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| cache: 'pip' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pip-audit | |
| - name: Check for outdated packages | |
| id: outdated | |
| continue-on-error: true | |
| run: | | |
| echo "## Outdated Packages Report" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| pip list --outdated || echo "All packages are up to date" | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| - name: Suggest updates | |
| if: steps.outdated.outcome == 'failure' | |
| run: | | |
| echo "⚠️ Some packages are outdated. Consider updating:" | |
| echo " pip install --upgrade -r requirements.txt" | |
| licenses: | |
| name: Check dependency licenses | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| cache: 'pip' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install pip-licenses | |
| - name: Generate license report | |
| run: | | |
| echo "## License Compliance Report" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Installed Package Licenses" >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| pip-licenses --format=plain --sort-by-license || true | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| - name: Check for incompatible licenses | |
| id: license-check | |
| continue-on-error: true | |
| run: | | |
| # Check for problematic licenses (GPL, AGPL, etc. if not compatible with Apache 2.0) | |
| pip-licenses --fail-on AGPL --fail-on GPL || echo "⚠️ License check completed (warnings may exist)" | |
| sbom-generation: | |
| name: Generate Software Bill of Materials | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| cache: 'pip' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install cyclonedx-bom | |
| - name: Generate SBOM (CycloneDX format) | |
| run: | | |
| cyclonedx-py environment -o sbom.json --of JSON | |
| cyclonedx-py environment -o sbom.xml --of XML | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-reports | |
| path: | | |
| sbom.json | |
| sbom.xml | |
| retention-days: 90 | |
| - name: Print SBOM summary | |
| run: | | |
| echo "## SBOM Generation Complete" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Generated SBOM files:" >> $GITHUB_STEP_SUMMARY | |
| echo "- sbom.json (CycloneDX JSON)" >> $GITHUB_STEP_SUMMARY | |
| echo "- sbom.xml (CycloneDX XML)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Available as workflow artifacts" >> $GITHUB_STEP_SUMMARY |