Skip to content
Security & Dependency Check

Security & Dependency Check #7

Sign in to view logs

Security & Dependency Check

Security & Dependency Check #7

Workflow file for this run

.github/workflows/security.yml at 0fa070a
name: Security & Dependency Check
on:
push:
branches: [ main, master ]
pull_request:
branches: [ main, master ]
schedule:
# Run weekly on Monday at 3 AM UTC
- cron: '0 3 * * 1'
workflow_dispatch:
jobs:
security-check:
name: Security & Dependency Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Poetry
uses: snok/install-poetry@v1
with:
version: latest
- name: Install dependencies
run: poetry install --no-interaction
- name: Check for security vulnerabilities with Safety
run: |
pip install safety
poetry export -f requirements.txt --without-hashes | safety check --stdin || true
continue-on-error: true
- name: Run Bandit security linter
run: |
pip install bandit
bandit -r simple_ado/ -f json -o bandit-report.json || true
continue-on-error: true
- name: Upload Bandit report
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-security-report
path: bandit-report.json
- name: Check Poetry lock file
run: poetry check --lock
- name: Audit dependencies with pip-audit
run: |
pip install pip-audit
poetry export -f requirements.txt --without-hashes | pip-audit -r /dev/stdin || true
continue-on-error: true
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate