dsagent/.github/workflows/security.yml at main · nmlemus/dsagent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Security Scan

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    # Run weekly on Sundays at midnight
    - cron: "0 0 * * 0"

permissions:
  contents: read
  security-events: write

jobs:
  # Python security scanning with Bandit
  bandit:
    name: Bandit Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install Bandit
        run: pip install bandit bandit-sarif-formatter

      - name: Run Bandit
        run: |
          bandit -r src/ -f sarif -o bandit-results.sarif --severity-level medium --exit-zero

      - name: Upload Bandit results to GitHub Security
        uses: github/codeql-action/upload-sarif@v4
        if: always() && hashFiles('bandit-results.sarif') != ''
        with:
          sarif_file: bandit-results.sarif
          category: bandit

  # Dependency vulnerability scanning
  pip-audit:
    name: Dependency Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install dependencies
        run: |
          pip install pip-audit
          pip install -e .

      - name: Run pip-audit
        run: |
          pip-audit --skip-editable --format=json --output=pip-audit-results.json || true
          pip-audit --skip-editable --desc || true

  # Secret scanning with Gitleaks
  gitleaks:
    name: Secret Scanning
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

  # Docker image scanning with Trivy
  trivy:
    name: Container Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t dsagent:scan .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "dsagent:scan"
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH,MEDIUM"

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@v4
        if: always() && hashFiles('trivy-results.sarif') != ''
        with:
          sarif_file: trivy-results.sarif
          category: trivy

  # OSSF Scorecard for repository security best practices
  scorecard:
    name: OSSF Scorecard
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request'
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Run Scorecard
        uses: ossf/scorecard-action@v2.4.0
        with:
          results_file: scorecard-results.sarif
          results_format: sarif

      - name: Upload Scorecard results to GitHub Security
        uses: github/codeql-action/upload-sarif@v4
        if: always() && hashFiles('scorecard-results.sarif') != ''
        with:
          sarif_file: scorecard-results.sarif
          category: scorecard