Security Scanning #76
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run security scans weekly on Mondays at 9 AM UTC | |
| - cron: '0 9 * * 1' | |
| jobs: | |
| bandit: | |
| name: Bandit Security Linter | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.11" | |
| - name: Install bandit | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install bandit[toml]>=1.7.5 | |
| - name: Run Bandit | |
| run: | | |
| bandit -r genesisgraph/ -ll -f json -o bandit-report.json | |
| bandit -r genesisgraph/ -ll | |
| continue-on-error: false | |
| - name: Upload Bandit report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-report | |
| path: bandit-report.json | |
| safety: | |
| name: Safety Dependency Scanner | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.11" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install safety>=2.3.5 | |
| pip install -e ".[cli]" | |
| - name: Run Safety check | |
| run: | | |
| safety check --json --output safety-report.json || true | |
| safety check | |
| continue-on-error: true | |
| - name: Upload Safety report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: safety-report | |
| path: safety-report.json | |
| semgrep: | |
| name: Semgrep SAST | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Semgrep | |
| run: | | |
| semgrep scan --config=auto --json --output=semgrep-report.json . || true | |
| semgrep scan --config=auto . | |
| continue-on-error: true | |
| - name: Upload Semgrep report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: semgrep-report | |
| path: semgrep-report.json | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python | |
| queries: security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| security-summary: | |
| name: Security Scan Summary | |
| runs-on: ubuntu-latest | |
| needs: [bandit, safety, semgrep, codeql] | |
| if: always() | |
| steps: | |
| - name: Check security scan results | |
| run: | | |
| echo "Security scans completed" | |
| echo "Review individual job results for details" | |
| # Fail the workflow if Bandit found HIGH severity issues | |
| if [ "${{ needs.bandit.result }}" == "failure" ]; then | |
| echo "❌ Bandit found HIGH severity security issues" | |
| exit 1 | |
| fi | |
| echo "✅ All critical security checks passed" |