bedrock-agentcore-sdk-python/.github/workflows/security-scanning.yml at main · aws/bedrock-agentcore-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Security Scanning

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 2 * * 1'

permissions:
  contents: read
  security-events: write
  actions: read

jobs:
  secret-scan:
    name: Secret Scanning
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      # Only TruffleHog - Gitleaks requires license
      - name: TruffleHog OSS
        uses: trufflesecurity/trufflehog@v3.94.0
        with:
          path: ./
          extra_args: --debug --only-verified

  # Skip CodeQL - requires GitHub Advanced Security
  bandit:
    name: Bandit Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.10'

      - name: Install uv
        run: |
          curl -LsSf https://astral.sh/uv/install.sh | sh
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Create virtual environment
        run: uv venv

      - name: Install Bandit
        run: uv pip install bandit[toml]

      - name: Run Bandit
        run: uv run bandit -r src/ -f json -o bandit-report.json || true

      - name: Upload Bandit results
        if: always()
        uses: actions/upload-artifact@v7
        with:
          name: bandit-results
          path: bandit-report.json

  safety:
    name: Safety Dependency Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.10'

      - name: Install uv
        run: |
          curl -LsSf https://astral.sh/uv/install.sh | sh
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Create virtual environment
        run: uv venv

      - name: Install dependencies with uv
        run: |
          uv sync
          uv pip install safety

      - name: Run Safety check
        run: |
          uv run safety check --json --output safety-report.json || true

      - name: Upload Safety results
        if: always()
        uses: actions/upload-artifact@v7
        with:
          name: safety-results
          path: safety-report.json