chore(deps)(deps): bump authlib from 1.6.5 to 1.6.12 #29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audit | |
| on: | |
| push: | |
| branches: [main, develop] | |
| paths: | |
| - "requirements.txt" | |
| - "constraints.txt" | |
| - "app/**/*.py" | |
| - "worker/**/*.py" | |
| - ".github/workflows/security-audit.yml" | |
| pull_request: | |
| branches: [main, develop] | |
| paths: | |
| - "requirements.txt" | |
| - "constraints.txt" | |
| - "app/**/*.py" | |
| - "worker/**/*.py" | |
| - ".github/workflows/security-audit.yml" | |
| schedule: | |
| # Run weekly on Mondays at 9:00 AM UTC | |
| - cron: "0 9 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| issues: write | |
| jobs: | |
| dependency-audit: | |
| name: Audit Python Dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pip-audit safety | |
| - name: Run pip-audit (fail on high severity) | |
| id: pip-audit | |
| continue-on-error: true | |
| run: | | |
| echo "## pip-audit Report" >> $GITHUB_STEP_SUMMARY | |
| pip-audit --requirement requirements.txt --desc --format markdown >> $GITHUB_STEP_SUMMARY || true | |
| # Generate JSON report | |
| pip-audit --requirement requirements.txt --format json --output pip-audit-report.json || true | |
| # Run again with exit code for high/critical severity | |
| pip-audit --requirement requirements.txt --vulnerability-service osv | |
| - name: Run Safety check | |
| id: safety | |
| continue-on-error: true | |
| run: | | |
| echo "## Safety Check Report" >> $GITHUB_STEP_SUMMARY | |
| # Note: Safety free version has limited JSON output | |
| # Run in text mode and capture output | |
| safety check --file requirements.txt > safety-report.txt 2>&1 || true | |
| if [ -f safety-report.txt ]; then | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| cat safety-report.txt >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| # Check for vulnerabilities in output | |
| if grep -iq "vulnerabilit" safety-report.txt; then | |
| echo "::warning::Safety detected potential vulnerabilities. Please review the report above." | |
| else | |
| echo "No known vulnerabilities found by Safety." >> $GITHUB_STEP_SUMMARY | |
| fi | |
| fi | |
| - name: Upload pip-audit results | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pip-audit-report | |
| path: pip-audit-report.json | |
| retention-days: 30 | |
| - name: Check results and fail if needed | |
| if: steps.pip-audit.outcome == 'failure' | |
| run: | | |
| echo "::error::High severity vulnerabilities detected by pip-audit" | |
| exit 1 | |
| sast-analysis: | |
| name: SAST - Python Security Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install bandit | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install bandit[sarif] | |
| - name: Run bandit security scan | |
| id: bandit | |
| continue-on-error: true | |
| run: | | |
| echo "## Bandit SAST Report" >> $GITHUB_STEP_SUMMARY | |
| # Run bandit and generate SARIF for GitHub Security | |
| bandit -r app/ worker/ -f sarif -o bandit-results.sarif || true | |
| # Also run for human-readable output | |
| bandit -r app/ worker/ -ll -f txt > bandit-report.txt 2>&1 || true | |
| # Show summary | |
| if [ -f bandit-report.txt ]; then | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| head -50 bandit-report.txt >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| - name: Upload bandit SARIF to GitHub Security | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: bandit-results.sarif | |
| category: bandit-sast | |
| - name: Upload bandit report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-report | |
| path: | | |
| bandit-results.sarif | |
| bandit-report.txt | |
| retention-days: 30 | |
| secret-scanning: | |
| name: Scan for Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for gitleaks | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_CONFIG: .gitleaks.toml | |
| security-summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [dependency-audit, sast-analysis, secret-scanning] | |
| if: always() | |
| steps: | |
| - name: Summary | |
| run: | | |
| echo "## Security Audit Complete" >> $GITHUB_STEP_SUMMARY | |
| echo "- Dependency Audit: ${{ needs.dependency-audit.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- SAST Analysis: ${{ needs.sast-analysis.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Secret Scanning: ${{ needs.secret-scanning.result }}" >> $GITHUB_STEP_SUMMARY | |
| if [[ "${{ needs.dependency-audit.result }}" == "failure" ]] || [[ "${{ needs.sast-analysis.result }}" == "failure" ]] || [[ "${{ needs.secret-scanning.result }}" == "failure" ]]; then | |
| echo "::error::Security checks failed. Please review the audit results." | |
| exit 1 | |
| fi |