From f9dba45d7a52c89150ba1d52436e749b1d977612 Mon Sep 17 00:00:00 2001 From: Ryan Leung Date: Tue, 8 Oct 2024 01:09:37 -0400 Subject: [PATCH 1/4] Add security workflow --- .github/workflows/security_scan.yml | 44 +++++++++++++++++++++++++++++ requirements.txt | 2 ++ 2 files changed, 46 insertions(+) create mode 100644 .github/workflows/security_scan.yml diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml new file mode 100644 index 0000000..a0592f7 --- /dev/null +++ b/.github/workflows/security_scan.yml @@ -0,0 +1,44 @@ +name: Security Scan + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + security_scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + pip install safety bandit + + - name: Run Safety check + run: safety check -r requirements.txt + + - name: Run Bandit + run: bandit -r . -f custom + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' diff --git a/requirements.txt b/requirements.txt index 70969cd..c4a1bda 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,3 +5,5 @@ requests setuptools pyinstaller torch +safety +bandit From 52313cc1739a7af88b16e631f63a06b0a8e31693 Mon Sep 17 00:00:00 2001 From: Ryan Leung Date: Tue, 8 Oct 2024 01:16:21 -0400 Subject: [PATCH 2/4] trivy --- .github/workflows/security_scan.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml index a0592f7..cbad971 100644 --- a/.github/workflows/security_scan.yml +++ b/.github/workflows/security_scan.yml @@ -25,6 +25,7 @@ jobs: - name: Run Safety check run: safety check -r requirements.txt + continue-on-error: true - name: Run Bandit run: bandit -r . -f custom @@ -36,9 +37,11 @@ jobs: ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' + wait-for-processing: true From a654fdc6bd83e08411913bdb78f1da494fcba755 Mon Sep 17 00:00:00 2001 From: Ryan Leung Date: Tue, 8 Oct 2024 01:25:22 -0400 Subject: [PATCH 3/4] trivy --- .github/workflows/security_scan.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml index cbad971..b1390d4 100644 --- a/.github/workflows/security_scan.yml +++ b/.github/workflows/security_scan.yml @@ -31,17 +31,15 @@ jobs: run: bandit -r . -f custom - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.20.0 with: scan-type: 'fs' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' + severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 - if: always() with: sarif_file: 'trivy-results.sarif' - wait-for-processing: true From 9a0eba7e234bf43045085d055071b3f91daf93fd Mon Sep 17 00:00:00 2001 From: Ryan Leung Date: Tue, 8 Oct 2024 01:28:40 -0400 Subject: [PATCH 4/4] continue-on-error --- .github/workflows/security_scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml index b1390d4..ab7ebac 100644 --- a/.github/workflows/security_scan.yml +++ b/.github/workflows/security_scan.yml @@ -29,6 +29,7 @@ jobs: - name: Run Bandit run: bandit -r . -f custom + continue-on-error: true - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.20.0