Security Scan #48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Match your project target | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Install Poetry | |
| run: | | |
| pipx install poetry | |
| poetry --version | |
| # (Optional) cache to speed up installs | |
| - name: Cache Poetry | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/pypoetry | |
| ~/.local/share/pypoetry | |
| key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} | |
| restore-keys: ${{ runner.os }}-poetry- | |
| # Install your project + dev tools in the Poetry venv | |
| - name: Install dependencies with Poetry | |
| run: | | |
| poetry install --with dev --no-interaction --no-ansi | |
| # Keep the venv's tooling up to date (reduces false positives) | |
| - name: Update security tooling in venv | |
| run: | | |
| poetry run python -m pip install --upgrade pip setuptools wheel | |
| poetry run python -m pip install --upgrade safety pip-audit | |
| # Bandit scans your source tree | |
| - name: Bandit (security linter) | |
| run: | | |
| poetry run bandit -r min_ratio_cycle/ --severity-level medium --confidence-level high | |
| # Safety scans the installed packages in the Poetry venv | |
| - name: Safety (scan installed env) | |
| run: | | |
| poetry run safety check --full-report | |
| # pip-audit scans the installed packages in the Poetry venv | |
| # - name: pip-audit (strict) | |
| # run: | | |
| # poetry run pip-audit --strict |