update security-scan.yaml

Author: AmberJBlue

.github/workflows/security-scan.yaml

@@ -1,89 +1,106 @@
 name: Security Scan
 
 on:
-  pull_request:
-    branches: [main]
   push:
     branches: [main]
+  pull_request:
+    branches: [main]
   workflow_dispatch:
 
-concurrency:
-  group: security-scan-${{ github.ref }}
-  cancel-in-progress: false
-
 jobs:
   trivy-scan:
-    name: Trivy Scan Report
+    name: Trivy
     runs-on: ubuntu-latest
     permissions:
       contents: read
       security-events: write
       actions: read
+
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          if [ -f pyproject.toml ]; then
+            pip install -e ".[dev]"
+          fi
 
       - name: Run Trivy vulnerability scan
         uses: aquasecurity/trivy-action@0.28.0
         with:
-          scan-type: fs
-          scan-ref: .
-          format: sarif
-          output: trivy-results.sarif
-          severity: CRITICAL,HIGH,MEDIUM,LOW
-          exit-code: 0
-          ignore-unfixed: false
-          vuln-type: os,library
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          exit-code: '0'
+          
+      - name: Check for critical and high vulnerabilities
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
 
-      - name: Upload SARIF
+      - name: Upload Trivy scan results to Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
-          sarif_file: trivy-results.sarif
-          category: trivy-security-scan
-
-  trivy-gate:
-    name: Trivy Gate
-    needs: trivy-scan
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v4
-      - name: Check for critical and high vulnerabilities
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: fs
-          scan-ref: .
-          format: table
-          severity: CRITICAL,HIGH
-          exit-code: 1
-          ignore-unfixed: false
-          vuln-type: os,library
+          sarif_file: 'trivy-results.sarif'
+          category: 'trivy-security-scan'
 
   bandit-scan:
     name: Bandit
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       security-events: write
       actions: read
+      contents: read
+      checks: write
+
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: "3.11"
+          cache: "pip"
+
+      - name: Create virtual environment
+        run: |
+          python -m pip install --upgrade pip
+          python -m venv .venv
+
+      - name: Install dependencies
+        run: |
+          source .venv/bin/activate
+          pip install -e ".[dev]"
+
+      - name: Install Bandit
+        run: |
+          source .venv/bin/activate
+          pip install bandit[sarif]
 
       - name: Run Bandit Security Scan
         uses: PyCQA/bandit-action@v1
         with:
           targets: "."
-          exclude: "tests,docs"
+          exclude: "tests"
 
-      - name: Upload Bandit SARIF to Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Upload SARIF as artifact
+        uses: actions/upload-artifact@v4
         with:
-          sarif_file: results.sarif
-          category: bandit-security-scan
+          name: bandit-sarif-results
+          path: results.sarif
+          retention-days: 30
+        continue-on-error: true