Skip to content
Security Scans

Modernize FastAPI template with Azure Functions Python v2, Flex Consumption, and enhanced security #3

Sign in to view logs

Modernize FastAPI template with Azure Functions Python v2, Flex Consumption, and enhanced security

Modernize FastAPI template with Azure Functions Python v2, Flex Consumption, and enhanced security #3

Workflow file for this run

.github/workflows/security-scans.yml at 9e24509
name: Security Scans
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # Weekly scan
permissions:
actions: read
contents: read
security-events: write
jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [ 'python' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
python-security:
name: Python Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.12'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install bandit[toml] safety
- name: Run Bandit security linter
run: |
bandit -r . -f json -o bandit-results.json || true
- name: Run Safety security scanner
run: |
safety check --json --output safety-results.json || true
- name: Upload security scan results
uses: actions/upload-artifact@v3
if: always()
with:
name: security-scan-results
path: |
bandit-results.json
safety-results.json