Skip to content

fix(ci): Update upload-artifact from deprecated v3 to v4 #68

fix(ci): Update upload-artifact from deprecated v3 to v4

fix(ci): Update upload-artifact from deprecated v3 to v4 #68

Workflow file for this run

name: Security Scanning
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
# Run security scans weekly on Mondays at 9 AM UTC
- cron: '0 9 * * 1'
jobs:
bandit:
name: Bandit Security Linter
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.11"
- name: Install bandit
run: |
python -m pip install --upgrade pip
pip install bandit[toml]>=1.7.5
- name: Run Bandit
run: |
bandit -r genesisgraph/ -ll -f json -o bandit-report.json
bandit -r genesisgraph/ -ll
continue-on-error: false
- name: Upload Bandit report
if: always()
uses: actions/upload-artifact@v4
with:
name: bandit-report
path: bandit-report.json
safety:
name: Safety Dependency Scanner
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.11"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install safety>=2.3.5
pip install -e ".[cli]"
- name: Run Safety check
run: |
safety check --json --output safety-report.json || true
safety check
continue-on-error: true
- name: Upload Safety report
if: always()
uses: actions/upload-artifact@v4
with:
name: safety-report
path: safety-report.json
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
run: |
semgrep scan --config=auto --json --output=semgrep-report.json . || true
semgrep scan --config=auto .
continue-on-error: true
- name: Upload Semgrep report
if: always()
uses: actions/upload-artifact@v4
with:
name: semgrep-report
path: semgrep-report.json
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: python
queries: security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
security-summary:
name: Security Scan Summary
runs-on: ubuntu-latest
needs: [bandit, safety, semgrep, codeql]
if: always()
steps:
- name: Check security scan results
run: |
echo "Security scans completed"
echo "Review individual job results for details"
# Fail the workflow if Bandit found HIGH severity issues
if [ "${{ needs.bandit.result }}" == "failure" ]; then
echo "❌ Bandit found HIGH severity security issues"
exit 1
fi
echo "✅ All critical security checks passed"