From 82454d508465ab3adb834a34db3047eaab92dc51 Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Sun, 27 Apr 2025 12:51:59 +0530 Subject: [PATCH 1/5] added python sast and dependabot --- .github/dependabot.yml | 20 ++ .github/workflows/python-sast.yml | 300 ++++++++++++++++++++++++++++++ 2 files changed, 320 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/python-sast.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c1b6135 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,20 @@ +version: 2 +updates: + # Python dependencies (weekly updates) + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + target-branch: "soc2" + open-pull-requests-limit: 5 + labels: + - "security" + + - package-ecosystem: "pip" + directory: "/pf9watcher" + schedule: + interval: "weekly" + target-branch: "soc2" + open-pull-requests-limit: 5 + labels: + - "security" \ No newline at end of file diff --git a/.github/workflows/python-sast.yml b/.github/workflows/python-sast.yml new file mode 100644 index 0000000..c27f894 --- /dev/null +++ b/.github/workflows/python-sast.yml @@ -0,0 +1,300 @@ +name: Python Security & Linting +'on': + push: + branches: + - soc2 + pull_request: + branches: + - soc2 +jobs: + setup: + name: Shared Setup + runs-on: ubuntu-latest + outputs: + python-version: '3.10' + steps: + - name: Checkout Code + uses: actions/checkout@v3 + - name: Export Python Version + run: echo "python-version=3.10" >> $GITHUB_OUTPUT + bandit_scan: + name: Bandit Security Scan (Full) + needs: setup + runs-on: ubuntu-latest + continue-on-error: true + outputs: + bandit-high-found: ${{ steps.scan.outputs.bandit_high_found }} + exit_with_failure: ${{ steps.scan.outputs.exit_with_failure }} + steps: + - name: Checkout Code + uses: actions/checkout@v3 + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '${{ needs.setup.outputs.python-version }}' + - name: Install Bandit + run: pip install bandit jq + - name: Run Full Bandit Scan + id: scan + run: | + echo "šŸšØ Running full Bandit scan..." + mkdir -p tmp + bandit -r . --severity-level medium -f json -o tmp/bandit_output.json || true + echo -e "\nšŸ” Human-readable Bandit output:\n" + bandit -r . --severity-level medium || true + cat tmp/bandit_output.json || echo "{}" + count=$(jq '.results | map(select(.issue_severity == "HIGH")) | length' tmp/bandit_output.json || echo 0) + + if [[ "$count" -gt 0 ]]; then + echo "bandit_high_found=true" >> "$GITHUB_OUTPUT" + echo "āŒ High severity issues found." + echo "exit_with_failure=true" >> "$GITHUB_OUTPUT" + else + echo "bandit_high_found=false" >> "$GITHUB_OUTPUT" + echo "exit_with_failure=false" >> "$GITHUB_OUTPUT" + fi + # run: "echo \"\U0001F6A8 Running full Bandit scan...\"\nmkdir -p tmp\nbandit -r . --severity-level medium -f json -o tmp/bandit_output.json || true\necho -e \"\\n\U0001F50D Human-readable Bandit output:\\n\"\nbandit -r . --severity-level medium || true\ncat tmp/bandit_output.json || echo \"{}\"\ncount=$(jq '.results | map(select(.issue_severity == \"HIGH\")) | length' tmp/bandit_output.json || echo 0)\necho \"bandit_high_found=$([[ $count -gt 0 ]] && echo true || echo false)\" >> $GITHUB_OUTPUT\n" + - name: Upload Bandit Report + uses: actions/upload-artifact@v4 + with: + name: bandit-json + path: tmp/bandit_output.json + + - name: Fail Job If Vulnerabilities Found + if: ${{ steps.scan.outputs.exit_with_failure == 'true' }} + run: exit 1 + auto-pr: + name: Create Pull Request if High Vulnerabilities Found + needs: + - bandit_scan + if: ${{ needs.bandit_scan.outputs.bandit-high-found == 'true' }} + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout Code + uses: actions/checkout@v3 + + - name: Download Bandit Report + uses: actions/download-artifact@v4 + with: + name: bandit-json + path: tmp + + - name: Generate PR Body with High Severity Bandit Results + run: | + echo "# šŸšØ Bandit Scan Report" > tmp/pr-body.md + if [[ -f tmp/bandit_output.json ]]; then + jq -r '.results[] + | select(.issue_severity == "HIGH") + | "* File: \(.filename)\n ā€¢ Line: \(.line_number)\n ā€¢ Severity: \(.issue_severity)\n ā€¢ Confidence: \(.issue_confidence)\n ā€¢ Issue: \(.issue_text)\n"' \ + tmp/bandit_output.json >> tmp/pr-body.md + else + echo "āŒ Bandit report not found or scan failed." >> tmp/pr-body.md + fi + + - name: Commit Bandit Alert Log (Optional) + run: | + if [[ -f tmp/bandit_output.json ]]; then + jq -r '.results[] + | select(.issue_severity == "HIGH") + | "### šŸšØ High Severity Issue\n```\nFile: \(.filename)\nLine: \(.line_number)\nSeverity: \(.issue_severity)\nConfidence: \(.issue_confidence)\nIssue: \(.issue_text)\n```\n"' \ + tmp/bandit_output.json > .bandit-alert.log || true + + git config user.name github-actions + git config user.email github-actions@github.com + git add -f .bandit-alert.log || true + git commit -m "chore: bandit security alert log" || true + fi + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 + with: + commit-message: 'chore: issues detected by Bandit (all severities)' + title: 'chore: auto PR for Bandit scan' + body-path: tmp/pr-body.md + branch: auto/bandit-security-scan + base: soc2 + delete-branch: true + + ruff-lint-and-pr: + name: Ruff Lint & Auto PR + needs: setup + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: ${{ needs.setup.outputs.python-version }} + + - name: Install Ruff + run: pip install ruff + + - name: Run Ruff + id: ruff + run: | + echo "šŸ” Running Ruff Lint..." + ruff check . --select E,F,I > ruff_output.txt || true + cat ruff_output.txt + if [ -s ruff_output.txt ]; then + echo "ruff_issues=true" >> "$GITHUB_OUTPUT" + else + echo "ruff_issues=false" >> "$GITHUB_OUTPUT" + fi + + - name: Create PR if Issues Found + if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: 'chore: fix ruff lint issues' + title: 'chore: Ruff Lint Issues Found' + body: | + ## āš ļø Ruff Lint Issues Found + See `.ruff_output.txt` for full details. + branch: auto/ruff-lint-issues + base: atherton + add-paths: | + ruff_output.txt + + - name: Fail job if issues found + if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} + run: | + echo "āŒ Ruff lint issues found ā€” failing job." + exit 1 + +# trivy_security_scan: +# runs-on: ubuntu-latest +# steps: +# - name: Checkout Code +# uses: actions/checkout@v3 +# - name: Install Trivy +# run: > +# sudo apt update + +# sudo apt install wget -y + +# wget -O- https://aquasecurity.github.io/trivy-repo/deb/public.key | +# sudo tee /etc/apt/trusted.gpg.d/trivy.asc + +# echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release +# -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list + +# sudo apt update +# sudo apt install -y trivy +# - name: Scan Code Dependencies +# run: 'trivy fs --scanners vuln,config --exit-code 1 --severity HIGH,CRITICAL .' + + trivy_security_scan_and_pr: + name: Trivy Security Scan & Auto PR + needs: setup + runs-on: ubuntu-latest + permissions: + contents: write # allow committing alert log + pull-requests: write # allow opening PR + outputs: + trivy_issues_found: ${{ steps.scan.outputs.trivy_issues_found }} + steps: + - name: Checkout Code + uses: actions/checkout@v3 + + - name: Install Trivy + run: | + sudo apt update + sudo apt install wget -y + wget -qO- https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo tee /etc/apt/trusted.gpg.d/trivy.asc + echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list + sudo apt update + sudo apt install -y trivy jq + + - name: Run Trivy Filesystem Scan + id: scan + run: | + set -euo pipefail + echo "šŸ›”ļø Running Trivy scan (HIGH/CRITICAL)..." + mkdir -p tmp + trivy fs --format json --severity HIGH,CRITICAL --output tmp/trivy.json . + [[ -f tmp/trivy.json ]] || echo '{"Results":[]}' > tmp/trivy.json + + # Safely exit if Results are missing or empty + if ! jq -e '.Results and (.Results | length > 0)' tmp/trivy.json >/dev/null; then + echo "ā„¹ļø No scan results available ā€” likely no supported files found." + echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + count=$(jq -e ' + (.Results // []) # safe default + | map(.Vulnerabilities? // []) # ? prevents error if field missing + | add + | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) + | length + ' tmp/trivy.json) + if [[ "$count" -gt 0 ]]; then + echo "trivy_issues_found=true" >> "$GITHUB_OUTPUT" + echo "āŒ Vulnerabilities found: $count" + else + echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT" + echo "āœ… No HIGH/CRITICAL vulnerabilities found" + fi + + - name: Upload Trivy Report + uses: actions/upload-artifact@v4 + with: + name: trivy-json + path: tmp/trivy.json + + # Fail the job to block merge, but continue workflow so PR can be created + - name: Set exit code if issues + if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} + run: exit 1 + continue-on-error: true + + - name: Generate PR Body + if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} + run: | + echo "# šŸ›”ļø Trivy Scan Report" > tmp/pr-body.md + jq -r ' + (.Results // []) + | .[] # each result + | .Target as $file + | (.Vulnerabilities? // []) + | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) + | .[] + | "* File: \($file)\n ā€¢ Vulnerability ID: \(.VulnerabilityID)\n ā€¢ Pkg: \(.PkgName) \(.InstalledVersion)\n ā€¢ Severity: \(.Severity)\n ā€¢ Title: \(.Title)\n" + ' tmp/trivy.json >> tmp/pr-body.md + + - name: Commit Trivy Alert Log (optional) + if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} + run: | + jq -r ' + (.Results // []) + | .[] + | .Target as $file + | (.Vulnerabilities? // []) + | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) + | .[] + | "### šŸ›”ļø Critical/High Vulnerability\n```\nFile: \($file)\nVulnerabilityID: \(.VulnerabilityID)\nPackage: \(.PkgName) \(.InstalledVersion)\nSeverity: \(.Severity)\nTitle: \(.Title)\n```\n" + ' tmp/trivy.json > .trivy-alert.log || true + + git config user.name github-actions + git config user.email github-actions@github.com + git add -f .trivy-alert.log || true + git commit -m "chore: trivy security alert log" || true + + - name: Create Pull Request + if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: 'chore: vulnerabilities detected by Trivy (HIGH/CRITICAL)' + title: 'chore: auto PR for Trivy security scan' + body-path: tmp/pr-body.md + branch: auto/trivy-security-scan + base: soc2 + delete-branch: true From e27ecc07330ea820e8b1b7e1f3571faba2bc647e Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Mon, 7 Jul 2025 13:31:23 +0530 Subject: [PATCH 2/5] changed workflow file --- .github/dependabot.yml | 20 -------------------- .github/workflows/python-sast.yml | 8 ++++---- 2 files changed, 4 insertions(+), 24 deletions(-) delete mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index c1b6135..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,20 +0,0 @@ -version: 2 -updates: - # Python dependencies (weekly updates) - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - target-branch: "soc2" - open-pull-requests-limit: 5 - labels: - - "security" - - - package-ecosystem: "pip" - directory: "/pf9watcher" - schedule: - interval: "weekly" - target-branch: "soc2" - open-pull-requests-limit: 5 - labels: - - "security" \ No newline at end of file diff --git a/.github/workflows/python-sast.yml b/.github/workflows/python-sast.yml index c27f894..f376e01 100644 --- a/.github/workflows/python-sast.yml +++ b/.github/workflows/python-sast.yml @@ -2,10 +2,10 @@ name: Python Security & Linting 'on': push: branches: - - soc2 + - private/soc2 pull_request: branches: - - soc2 + - private/soc2 jobs: setup: name: Shared Setup @@ -115,7 +115,7 @@ jobs: title: 'chore: auto PR for Bandit scan' body-path: tmp/pr-body.md branch: auto/bandit-security-scan - base: soc2 + base: private/soc2 delete-branch: true ruff-lint-and-pr: @@ -296,5 +296,5 @@ jobs: title: 'chore: auto PR for Trivy security scan' body-path: tmp/pr-body.md branch: auto/trivy-security-scan - base: soc2 + base: private/soc2 delete-branch: true From 2346f6de06e9c1c54ac9309505a5b47011fb055d Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Wed, 31 Dec 2025 16:25:52 +0530 Subject: [PATCH 3/5] added scan files --- .github/workflows/lint.yml | 72 +++++++ .github/workflows/python-sast.yml | 300 ---------------------------- .github/workflows/security-scan.yml | 173 ++++++++++++++++ 3 files changed, 245 insertions(+), 300 deletions(-) create mode 100644 .github/workflows/lint.yml delete mode 100644 .github/workflows/python-sast.yml create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..5718f2b --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,72 @@ +name: Python Lint +'on': + push: + branches: + - main + - private/harsh/soc2-scan + - private/soc2 + pull_request: + +jobs: + setup: + name: Shared Setup + runs-on: ubuntu-latest + outputs: + python-version: '3.10' + steps: + - name: Checkout Code + uses: actions/checkout@v3 + - name: Export Python Version + run: echo "python-version=3.10" >> $GITHUB_OUTPUT + + ruff-lint-and-pr: + name: Ruff Lint & Auto PR + needs: setup + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: ${{ needs.setup.outputs.python-version }} + + - name: Install Ruff + run: pip install ruff + + - name: Run Ruff + id: ruff + run: | + echo "šŸ” Running Ruff Lint..." + ruff check . --select E,F,I > ruff_output.txt || true + cat ruff_output.txt + if [ -s ruff_output.txt ]; then + echo "ruff_issues=true" >> "$GITHUB_OUTPUT" + else + echo "ruff_issues=false" >> "$GITHUB_OUTPUT" + fi + + - name: Create PR if Issues Found + if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: 'chore: fix ruff lint issues' + title: 'chore: Ruff Lint Issues Found' + body: | + ## āš ļø Ruff Lint Issues Found + See `.ruff_output.txt` for full details. + branch: auto/ruff-lint-issues + base: atherton + add-paths: | + ruff_output.txt + + - name: Fail job if issues found + if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} + run: | + echo "āŒ Ruff lint issues found ā€” failing job." + exit 1 \ No newline at end of file diff --git a/.github/workflows/python-sast.yml b/.github/workflows/python-sast.yml deleted file mode 100644 index f376e01..0000000 --- a/.github/workflows/python-sast.yml +++ /dev/null @@ -1,300 +0,0 @@ -name: Python Security & Linting -'on': - push: - branches: - - private/soc2 - pull_request: - branches: - - private/soc2 -jobs: - setup: - name: Shared Setup - runs-on: ubuntu-latest - outputs: - python-version: '3.10' - steps: - - name: Checkout Code - uses: actions/checkout@v3 - - name: Export Python Version - run: echo "python-version=3.10" >> $GITHUB_OUTPUT - bandit_scan: - name: Bandit Security Scan (Full) - needs: setup - runs-on: ubuntu-latest - continue-on-error: true - outputs: - bandit-high-found: ${{ steps.scan.outputs.bandit_high_found }} - exit_with_failure: ${{ steps.scan.outputs.exit_with_failure }} - steps: - - name: Checkout Code - uses: actions/checkout@v3 - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '${{ needs.setup.outputs.python-version }}' - - name: Install Bandit - run: pip install bandit jq - - name: Run Full Bandit Scan - id: scan - run: | - echo "šŸšØ Running full Bandit scan..." - mkdir -p tmp - bandit -r . --severity-level medium -f json -o tmp/bandit_output.json || true - echo -e "\nšŸ” Human-readable Bandit output:\n" - bandit -r . --severity-level medium || true - cat tmp/bandit_output.json || echo "{}" - count=$(jq '.results | map(select(.issue_severity == "HIGH")) | length' tmp/bandit_output.json || echo 0) - - if [[ "$count" -gt 0 ]]; then - echo "bandit_high_found=true" >> "$GITHUB_OUTPUT" - echo "āŒ High severity issues found." - echo "exit_with_failure=true" >> "$GITHUB_OUTPUT" - else - echo "bandit_high_found=false" >> "$GITHUB_OUTPUT" - echo "exit_with_failure=false" >> "$GITHUB_OUTPUT" - fi - # run: "echo \"\U0001F6A8 Running full Bandit scan...\"\nmkdir -p tmp\nbandit -r . --severity-level medium -f json -o tmp/bandit_output.json || true\necho -e \"\\n\U0001F50D Human-readable Bandit output:\\n\"\nbandit -r . --severity-level medium || true\ncat tmp/bandit_output.json || echo \"{}\"\ncount=$(jq '.results | map(select(.issue_severity == \"HIGH\")) | length' tmp/bandit_output.json || echo 0)\necho \"bandit_high_found=$([[ $count -gt 0 ]] && echo true || echo false)\" >> $GITHUB_OUTPUT\n" - - name: Upload Bandit Report - uses: actions/upload-artifact@v4 - with: - name: bandit-json - path: tmp/bandit_output.json - - - name: Fail Job If Vulnerabilities Found - if: ${{ steps.scan.outputs.exit_with_failure == 'true' }} - run: exit 1 - auto-pr: - name: Create Pull Request if High Vulnerabilities Found - needs: - - bandit_scan - if: ${{ needs.bandit_scan.outputs.bandit-high-found == 'true' }} - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - steps: - - name: Checkout Code - uses: actions/checkout@v3 - - - name: Download Bandit Report - uses: actions/download-artifact@v4 - with: - name: bandit-json - path: tmp - - - name: Generate PR Body with High Severity Bandit Results - run: | - echo "# šŸšØ Bandit Scan Report" > tmp/pr-body.md - if [[ -f tmp/bandit_output.json ]]; then - jq -r '.results[] - | select(.issue_severity == "HIGH") - | "* File: \(.filename)\n ā€¢ Line: \(.line_number)\n ā€¢ Severity: \(.issue_severity)\n ā€¢ Confidence: \(.issue_confidence)\n ā€¢ Issue: \(.issue_text)\n"' \ - tmp/bandit_output.json >> tmp/pr-body.md - else - echo "āŒ Bandit report not found or scan failed." >> tmp/pr-body.md - fi - - - name: Commit Bandit Alert Log (Optional) - run: | - if [[ -f tmp/bandit_output.json ]]; then - jq -r '.results[] - | select(.issue_severity == "HIGH") - | "### šŸšØ High Severity Issue\n```\nFile: \(.filename)\nLine: \(.line_number)\nSeverity: \(.issue_severity)\nConfidence: \(.issue_confidence)\nIssue: \(.issue_text)\n```\n"' \ - tmp/bandit_output.json > .bandit-alert.log || true - - git config user.name github-actions - git config user.email github-actions@github.com - git add -f .bandit-alert.log || true - git commit -m "chore: bandit security alert log" || true - fi - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 - with: - commit-message: 'chore: issues detected by Bandit (all severities)' - title: 'chore: auto PR for Bandit scan' - body-path: tmp/pr-body.md - branch: auto/bandit-security-scan - base: private/soc2 - delete-branch: true - - ruff-lint-and-pr: - name: Ruff Lint & Auto PR - needs: setup - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: ${{ needs.setup.outputs.python-version }} - - - name: Install Ruff - run: pip install ruff - - - name: Run Ruff - id: ruff - run: | - echo "šŸ” Running Ruff Lint..." - ruff check . --select E,F,I > ruff_output.txt || true - cat ruff_output.txt - if [ -s ruff_output.txt ]; then - echo "ruff_issues=true" >> "$GITHUB_OUTPUT" - else - echo "ruff_issues=false" >> "$GITHUB_OUTPUT" - fi - - - name: Create PR if Issues Found - if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} - uses: peter-evans/create-pull-request@v5 - with: - commit-message: 'chore: fix ruff lint issues' - title: 'chore: Ruff Lint Issues Found' - body: | - ## āš ļø Ruff Lint Issues Found - See `.ruff_output.txt` for full details. - branch: auto/ruff-lint-issues - base: atherton - add-paths: | - ruff_output.txt - - - name: Fail job if issues found - if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} - run: | - echo "āŒ Ruff lint issues found ā€” failing job." - exit 1 - -# trivy_security_scan: -# runs-on: ubuntu-latest -# steps: -# - name: Checkout Code -# uses: actions/checkout@v3 -# - name: Install Trivy -# run: > -# sudo apt update - -# sudo apt install wget -y - -# wget -O- https://aquasecurity.github.io/trivy-repo/deb/public.key | -# sudo tee /etc/apt/trusted.gpg.d/trivy.asc - -# echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -# -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list - -# sudo apt update -# sudo apt install -y trivy -# - name: Scan Code Dependencies -# run: 'trivy fs --scanners vuln,config --exit-code 1 --severity HIGH,CRITICAL .' - - trivy_security_scan_and_pr: - name: Trivy Security Scan & Auto PR - needs: setup - runs-on: ubuntu-latest - permissions: - contents: write # allow committing alert log - pull-requests: write # allow opening PR - outputs: - trivy_issues_found: ${{ steps.scan.outputs.trivy_issues_found }} - steps: - - name: Checkout Code - uses: actions/checkout@v3 - - - name: Install Trivy - run: | - sudo apt update - sudo apt install wget -y - wget -qO- https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo tee /etc/apt/trusted.gpg.d/trivy.asc - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt update - sudo apt install -y trivy jq - - - name: Run Trivy Filesystem Scan - id: scan - run: | - set -euo pipefail - echo "šŸ›”ļø Running Trivy scan (HIGH/CRITICAL)..." - mkdir -p tmp - trivy fs --format json --severity HIGH,CRITICAL --output tmp/trivy.json . - [[ -f tmp/trivy.json ]] || echo '{"Results":[]}' > tmp/trivy.json - - # Safely exit if Results are missing or empty - if ! jq -e '.Results and (.Results | length > 0)' tmp/trivy.json >/dev/null; then - echo "ā„¹ļø No scan results available ā€” likely no supported files found." - echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT" - exit 0 - fi - count=$(jq -e ' - (.Results // []) # safe default - | map(.Vulnerabilities? // []) # ? prevents error if field missing - | add - | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) - | length - ' tmp/trivy.json) - if [[ "$count" -gt 0 ]]; then - echo "trivy_issues_found=true" >> "$GITHUB_OUTPUT" - echo "āŒ Vulnerabilities found: $count" - else - echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT" - echo "āœ… No HIGH/CRITICAL vulnerabilities found" - fi - - - name: Upload Trivy Report - uses: actions/upload-artifact@v4 - with: - name: trivy-json - path: tmp/trivy.json - - # Fail the job to block merge, but continue workflow so PR can be created - - name: Set exit code if issues - if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} - run: exit 1 - continue-on-error: true - - - name: Generate PR Body - if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} - run: | - echo "# šŸ›”ļø Trivy Scan Report" > tmp/pr-body.md - jq -r ' - (.Results // []) - | .[] # each result - | .Target as $file - | (.Vulnerabilities? // []) - | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) - | .[] - | "* File: \($file)\n ā€¢ Vulnerability ID: \(.VulnerabilityID)\n ā€¢ Pkg: \(.PkgName) \(.InstalledVersion)\n ā€¢ Severity: \(.Severity)\n ā€¢ Title: \(.Title)\n" - ' tmp/trivy.json >> tmp/pr-body.md - - - name: Commit Trivy Alert Log (optional) - if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} - run: | - jq -r ' - (.Results // []) - | .[] - | .Target as $file - | (.Vulnerabilities? // []) - | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) - | .[] - | "### šŸ›”ļø Critical/High Vulnerability\n```\nFile: \($file)\nVulnerabilityID: \(.VulnerabilityID)\nPackage: \(.PkgName) \(.InstalledVersion)\nSeverity: \(.Severity)\nTitle: \(.Title)\n```\n" - ' tmp/trivy.json > .trivy-alert.log || true - - git config user.name github-actions - git config user.email github-actions@github.com - git add -f .trivy-alert.log || true - git commit -m "chore: trivy security alert log" || true - - - name: Create Pull Request - if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} - uses: peter-evans/create-pull-request@v5 - with: - commit-message: 'chore: vulnerabilities detected by Trivy (HIGH/CRITICAL)' - title: 'chore: auto PR for Trivy security scan' - body-path: tmp/pr-body.md - branch: auto/trivy-security-scan - base: private/soc2 - delete-branch: true diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..cfbf4f2 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,173 @@ +name: Python Security scan +'on': + push: + branches: + - master + - private/harsh/soc2-scan + - private/soc2 + pull_request: + +jobs: + setup: + name: Shared Setup + runs-on: ubuntu-latest + outputs: + python-version: '3.10' + steps: + - name: Checkout Code + uses: actions/checkout@v3 + - name: Export Python Version + run: echo "python-version=3.10" >> $GITHUB_OUTPUT + + bandit_scan: + name: Bandit Security Scan (Full) + needs: setup + runs-on: ubuntu-latest + outputs: + bandit-high-found: ${{ steps.scan.outputs.bandit_high_found }} + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout Code + uses: actions/checkout@v3 + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '${{ needs.setup.outputs.python-version }}' + - name: Install Bandit + run: pip install bandit jq + - name: Sanitize branch name + run: echo "SAFE_REF_NAME=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV + - name: Run Full Bandit Scan + id: scan + run: | + echo "Running full Bandit scan..." + mkdir -p tmp + bandit -r . --severity-level medium -f json -o tmp/bandit_output.json || true + echo -e "\nHuman-readable Bandit output:\n" + bandit -r . --severity-level medium || true + cat tmp/bandit_output.json || echo "{}" + count=$(jq '.results | map(select(.issue_severity == "HIGH")) | length' tmp/bandit_output.json || echo 0) + + if [[ "$count" -gt 0 ]]; then + echo "bandit_high_found=true" >> "$GITHUB_OUTPUT" + else + echo "bandit_high_found=false" >> "$GITHUB_OUTPUT" + fi + + - name: Upload Bandit Report + uses: actions/upload-artifact@v4 + with: + name: bandit-json-${{ env.SAFE_REF_NAME }} + path: tmp/bandit_output.json + + - name: Generate PR Body (if vulnerabilities found) + if: ${{ steps.scan.outputs.bandit_high_found == 'true' }} + run: | + echo "# Bandit Scan Report for branch \`${GITHUB_REF_NAME}\`" > tmp/pr-body.md + jq -r '.results[] + | select(.issue_severity == "HIGH") + | "* File: \(.filename)\n ā€¢ Line: \(.line_number)\n ā€¢ Severity: \(.issue_severity)\n ā€¢ Confidence: \(.issue_confidence)\n ā€¢ Issue: \(.issue_text)\n"' \ + tmp/bandit_output.json >> tmp/pr-body.md + + - name: Create Pull Request (if vulnerabilities found) + if: ${{ github.event_name == 'push' && steps.scan.outputs.bandit_high_found == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: 'chore: issues detected by Bandit (HIGH)' + title: 'Bandit Vulnerability Report for branch ${{ github.ref_name }}' + body-path: tmp/pr-body.md + branch: auto/bandit-scan/${{ env.SAFE_REF_NAME }} + base: ${{ github.ref_name }} + delete-branch: true + + - name: Fail Job If Vulnerabilities Found + if: ${{ steps.scan.outputs.bandit_high_found == 'true' }} + run: exit 1 + + trivy_scan: + name: Trivy Security Scan (Full) + needs: setup + runs-on: ubuntu-latest + outputs: + trivy_issues_found: ${{ steps.scan.outputs.trivy_issues_found }} + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout Code + uses: actions/checkout@v3 + + - name: Install Trivy + run: | + sudo apt update + sudo apt install wget -y + wget -qO- https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo tee /etc/apt/trusted.gpg.d/trivy.asc + echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list + sudo apt update + sudo apt install -y trivy jq + + - name: Sanitize branch name + run: echo "SAFE_REF_NAME=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV + + - name: Run Trivy Filesystem Scan + id: scan + run: | + set -euo pipefail + echo "Running Trivy scan (HIGH/CRITICAL)..." + mkdir -p tmp + trivy fs --format json --severity HIGH,CRITICAL --output tmp/trivy.json . + [[ -f tmp/trivy.json ]] || echo '{"Results":[]}' > tmp/trivy.json + if ! jq -e '.Results and (.Results | length > 0)' tmp/trivy.json >/dev/null; then + echo "No scan results available ā€” likely no supported files found." + echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + count=$(jq -e ' + (.Results // []) + | map(.Vulnerabilities? // []) + | add + | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) + | length + ' tmp/trivy.json) + if [[ "$count" -gt 0 ]]; then + echo "trivy_issues_found=true" >> "$GITHUB_OUTPUT" + else + echo "trivy_issues_found=false" >> "$GITHUB_OUTPUT" + fi + + - name: Upload Trivy Report + uses: actions/upload-artifact@v4 + with: + name: trivy-json-${{ env.SAFE_REF_NAME }} + path: tmp/trivy.json + + - name: Generate PR Body (if vulnerabilities found) + if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} + run: | + echo "# šŸ›”ļø Trivy Scan Report for branch \`${GITHUB_REF_NAME}\`" > tmp/pr-body.md + jq -r ' + (.Results // []) + | .[] + | .Target as $file + | (.Vulnerabilities? // []) + | map(select(.Severity=="HIGH" or .Severity=="CRITICAL")) + | .[] + | "* File: \($file)\n ā€¢ Vulnerability ID: \(.VulnerabilityID)\n ā€¢ Pkg: \(.PkgName) \(.InstalledVersion)\n ā€¢ Severity: \(.Severity)\n ā€¢ Title: \(.Title)\n" + ' tmp/trivy.json >> tmp/pr-body.md + + - name: Create Pull Request (if vulnerabilities found) + if: ${{ github.event_name == 'push' && steps.scan.outputs.trivy_issues_found == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: 'chore: vulnerabilities detected by Trivy (HIGH/CRITICAL)' + title: 'Trivy Vulnerability Report for branch ${{ github.ref_name }}' + body-path: tmp/pr-body.md + branch: auto/trivy-scan/${{ env.SAFE_REF_NAME }} + base: ${{ github.ref_name }} + delete-branch: true + + - name: Fail Job If Vulnerabilities Found + if: ${{ steps.scan.outputs.trivy_issues_found == 'true' }} + run: exit 1 \ No newline at end of file From 7734f6eebd33343eb50b2e62e44e2b66ad4908ee Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Wed, 31 Dec 2025 16:26:27 +0530 Subject: [PATCH 4/5] changed branch --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5718f2b..e538bdd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,7 +2,7 @@ name: Python Lint 'on': push: branches: - - main + - master - private/harsh/soc2-scan - private/soc2 pull_request: From 39f74d7f4301742bcc81a8924f4295e9929ed479 Mon Sep 17 00:00:00 2001 From: Harsh Srivastava Date: Sat, 3 Jan 2026 20:02:49 +0530 Subject: [PATCH 5/5] changes in lint.yml file --- .github/workflows/lint.yml | 100 ++++++++++++++++------------ .github/workflows/security-scan.yml | 1 - 2 files changed, 59 insertions(+), 42 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e538bdd..d27f24f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,8 +2,7 @@ name: Python Lint 'on': push: branches: - - master - - private/harsh/soc2-scan + - main - private/soc2 pull_request: @@ -23,50 +22,69 @@ jobs: name: Ruff Lint & Auto PR needs: setup runs-on: ubuntu-latest + outputs: + ruff-issues-found: ${{ steps.scan.outputs.ruff_issues_found }} permissions: - contents: write - pull-requests: write + contents: write + pull-requests: write steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '${{ needs.setup.outputs.python-version }}' + + - name: Install Ruff + run: pip install ruff + + - name: Sanitize branch name + run: echo "SAFE_REF_NAME=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: ${{ needs.setup.outputs.python-version }} + - name: Run Ruff Lint Scan + id: scan + run: | + echo "Running Ruff lint scan..." + mkdir -p tmp + ruff check . --select E,F,I --output-format=json > tmp/ruff_output.json || true + echo -e "\nHuman-readable Ruff output:\n" + ruff check . --select E,F,I || true + cat tmp/ruff_output.json || echo "[]" + + issue_count=$(jq 'length' tmp/ruff_output.json || echo 0) + + if [[ "$issue_count" -gt 0 ]]; then + echo "ruff_issues_found=true" >> "$GITHUB_OUTPUT" + else + echo "ruff_issues_found=false" >> "$GITHUB_OUTPUT" + fi - - name: Install Ruff - run: pip install ruff + - name: Upload Ruff Report + uses: actions/upload-artifact@v4 + with: + name: ruff-json-${{ env.SAFE_REF_NAME }} + path: tmp/ruff_output.json - - name: Run Ruff - id: ruff - run: | - echo "šŸ” Running Ruff Lint..." - ruff check . --select E,F,I > ruff_output.txt || true - cat ruff_output.txt - if [ -s ruff_output.txt ]; then - echo "ruff_issues=true" >> "$GITHUB_OUTPUT" - else - echo "ruff_issues=false" >> "$GITHUB_OUTPUT" - fi + - name: Generate PR Body (if issues found) + if: ${{ steps.scan.outputs.ruff_issues_found == 'true' }} + run: | + echo "# Ruff Lint Report for branch \`${GITHUB_REF_NAME}\`" > tmp/pr-body.md + jq -r '.[] | "* File: \(.filename)\n ā€¢ Line: \(.location.row)\n ā€¢ Column: \(.location.column)\n ā€¢ Rule: \(.code)\n ā€¢ Message: \(.message)\n"' \ + tmp/ruff_output.json >> tmp/pr-body.md - - name: Create PR if Issues Found - if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} - uses: peter-evans/create-pull-request@v5 - with: - commit-message: 'chore: fix ruff lint issues' - title: 'chore: Ruff Lint Issues Found' - body: | - ## āš ļø Ruff Lint Issues Found - See `.ruff_output.txt` for full details. - branch: auto/ruff-lint-issues - base: atherton - add-paths: | - ruff_output.txt + - name: Create Pull Request (if issues found) + if: ${{ github.event_name == 'push' && steps.scan.outputs.ruff_issues_found == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: 'chore: Ruff lint issues detected' + title: 'Ruff Lint Report for branch ${{ github.ref_name }}' + body-path: tmp/pr-body.md + branch: auto/ruff-lint/${{ env.SAFE_REF_NAME }} + base: ${{ github.ref_name }} + delete-branch: true - - name: Fail job if issues found - if: ${{ steps.ruff.outputs.ruff_issues == 'true' }} - run: | - echo "āŒ Ruff lint issues found ā€” failing job." - exit 1 \ No newline at end of file + - name: Fail Job If Issues Found + if: ${{ steps.scan.outputs.ruff_issues_found == 'true' }} + run: exit 1 diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index cfbf4f2..e6645e0 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -3,7 +3,6 @@ name: Python Security scan push: branches: - master - - private/harsh/soc2-scan - private/soc2 pull_request: