-
Notifications
You must be signed in to change notification settings - Fork 444
72 lines (69 loc) · 2.69 KB
/
code_scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Code Scanning
on:
workflow_dispatch: # run on request (no need for PR)
push:
branches:
- "develop"
- "releases/*"
schedule:
# every UTC 6PM from Mon to Fri
- cron: "0 18 * * 1-5"
# Declare default permissions as read only.
permissions: read-all
jobs:
Trivy-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Set up Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: "3.10"
- name: Install dependencies
run: python -m pip install --require-hashes --no-deps -r .ci/requirements.txt
- name: Freeze dependencies
run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml
- name: Trivy Scanning (spdx.json)
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
trivy-config: ".ci/trivy-json.yaml"
scan-type: "fs"
scan-ref: .
- name: Trivy Scanning
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
trivy-config: ".ci/trivy.yaml"
scan-type: "fs"
scan-ref: .
- name: Upload Trivy results artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: trivy-results
path: "${{ github.workspace }}/trivy-results.*"
# Use always() to always run this step to publish scan results when there are test failures
if: ${{ always() }}
Bandit:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Set up Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: "3.10"
- name: Install tox
run: |
python -m pip install --require-hashes --no-deps -r .ci/requirements.txt
pip-compile --generate-hashes --output-file=/tmp/requirements.txt --extra=ci_tox pyproject.toml
python -m pip install --require-hashes --no-deps -r /tmp/requirements.txt
rm /tmp/requirements.txt
- name: Bandit Scanning
run: tox -e bandit-scan
- name: Upload Bandit artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: bandit-report
path: .tox/bandit-report.txt
# Use always() to always run this step to publish scan results when there are test failures
if: ${{ always() }}