-
Notifications
You must be signed in to change notification settings - Fork 0
399 lines (335 loc) · 11 KB
/
Copy pathsecurity.yml
File metadata and controls
399 lines (335 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch:
permissions:
contents: read
security-events: write
actions: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
PYTHON_VERSION: "3.13"
UV_VERSION: "latest"
jobs:
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
deny-licenses: GPL-3.0, AGPL-3.0
comment-summary-in-pr: on-failure
bandit:
name: Bandit Security Scan
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
with:
version: ${{ env.UV_VERSION }}
- name: Set up Python
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Run bandit security scan
run: |
uv run --with "bandit[toml]" bandit -r ea_agentgate/ server/ \
-f json \
-o bandit-report.json \
--severity-level medium \
--confidence-level medium || true
- name: Generate bandit SARIF report
run: |
uv run --with "bandit[toml]" bandit -r ea_agentgate/ server/ \
-f sarif \
-o bandit-results.sarif \
--severity-level medium \
--confidence-level medium || true
- name: Upload bandit results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('bandit-results.sarif') != ''
with:
sarif_file: bandit-results.sarif
category: bandit
- name: Upload bandit report
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-report
path: bandit-report.json
retention-days: 30
safety:
name: Safety Vulnerability Scan
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
with:
version: ${{ env.UV_VERSION }}
- name: Set up Python
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Install dependencies
run: |
uv sync --extra all --extra enterprise --extra dev
- name: Run safety check
run: |
uv run --with safety safety check \
--json \
--output safety-report.json || true
- name: Display safety summary
if: always()
run: |
if [ -f safety-report.json ]; then
echo "## Safety Vulnerability Report" >> $GITHUB_STEP_SUMMARY
echo '```json' >> $GITHUB_STEP_SUMMARY
cat safety-report.json | head -50 >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
- name: Upload safety report
uses: actions/upload-artifact@v4
if: always()
with:
name: safety-report
path: safety-report.json
retention-days: 30
pip-audit:
name: Pip Audit
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
with:
version: ${{ env.UV_VERSION }}
- name: Set up Python
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Export pinned runtime requirements
run: |
uv export \
--no-dev \
--extra server \
--no-editable \
--no-hashes \
-o requirements-audit-server.txt
- name: Run pip-audit
run: |
uv run --with pip-audit pip-audit \
--requirement requirements-audit-server.txt \
--no-deps \
--format json \
--output pip-audit-report.json \
--skip-editable \
--progress-spinner off || true
- name: Generate pip-audit summary
if: always()
run: |
if [ -f pip-audit-report.json ]; then
echo "## Pip Audit Report" >> $GITHUB_STEP_SUMMARY
echo '```json' >> $GITHUB_STEP_SUMMARY
cat pip-audit-report.json >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
- name: Upload pip-audit report
uses: actions/upload-artifact@v4
if: always()
with:
name: pip-audit-report
path: pip-audit-report.json
retention-days: 30
trivy:
name: Trivy Filesystem Scan
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
skip-dirs: 'tests,docs'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-results.sarif
category: trivy-fs
- name: Run Trivy with JSON output
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'json'
output: 'trivy-report.json'
severity: 'CRITICAL,HIGH,MEDIUM'
skip-dirs: 'tests,docs'
- name: Upload Trivy report
uses: actions/upload-artifact@v4
if: always()
with:
name: trivy-report
path: trivy-report.json
retention-days: 30
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
security-events: write
actions: read
contents: read
strategy:
fail-fast: false
matrix:
language: ['python']
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
queries: security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@main
continue-on-error: true
with:
path: ./
extra_args: --only-verified --json
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
timeout-minutes: 15
container:
image: returntocorp/semgrep
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Semgrep
run: |
semgrep scan \
--config=auto \
--sarif \
--output=semgrep-results.sarif
continue-on-error: true
- name: Upload Semgrep results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('semgrep-results.sarif') != ''
with:
sarif_file: semgrep-results.sarif
category: semgrep
license-check:
name: License Compliance
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
with:
version: ${{ env.UV_VERSION }}
- name: Set up Python
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Install dependencies
run: |
uv sync --extra all --extra enterprise --extra dev
- name: Check licenses
run: |
uv run --with pip-licenses pip-licenses \
--format=json \
--output-file=licenses-report.json \
--with-urls \
--with-description
- name: Verify no GPL licenses
run: |
if grep -iE "GPL-3|AGPL" licenses-report.json; then
echo "::error::GPL/AGPL licenses found in dependencies"
exit 1
fi
- name: Upload license report
uses: actions/upload-artifact@v4
if: always()
with:
name: licenses-report
path: licenses-report.json
retention-days: 30
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [bandit, safety, pip-audit, trivy, codeql, secret-scan, semgrep, license-check]
if: always()
timeout-minutes: 5
steps:
- name: Download all reports
uses: actions/download-artifact@v4
continue-on-error: true
- name: Generate security summary
run: |
echo "# Security Scan Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Job Results" >> $GITHUB_STEP_SUMMARY
echo "- Bandit: ${{ needs.bandit.result }}" >> $GITHUB_STEP_SUMMARY
echo "- Safety: ${{ needs.safety.result }}" >> $GITHUB_STEP_SUMMARY
echo "- Pip Audit: ${{ needs.pip-audit.result }}" >> $GITHUB_STEP_SUMMARY
echo "- Trivy: ${{ needs.trivy.result }}" >> $GITHUB_STEP_SUMMARY
echo "- CodeQL: ${{ needs.codeql.result }}" >> $GITHUB_STEP_SUMMARY
echo "- Secret Scan: ${{ needs.secret-scan.result }}" >> $GITHUB_STEP_SUMMARY
echo "- Semgrep: ${{ needs.semgrep.result }}" >> $GITHUB_STEP_SUMMARY
echo "- License Check: ${{ needs.license-check.result }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Detailed reports are available in the workflow artifacts." >> $GITHUB_STEP_SUMMARY
- name: Check security status
run: |
if [[ "${{ needs.bandit.result }}" == "failure" ]] || \
[[ "${{ needs.safety.result }}" == "failure" ]] || \
[[ "${{ needs.pip-audit.result }}" == "failure" ]] || \
[[ "${{ needs.trivy.result }}" == "failure" ]] || \
[[ "${{ needs.codeql.result }}" == "failure" ]] || \
[[ "${{ needs.secret-scan.result }}" == "failure" ]] || \
[[ "${{ needs.semgrep.result }}" == "failure" ]] || \
[[ "${{ needs.license-check.result }}" == "failure" ]]; then
echo "::error::One or more security scans reported issues. Review the reports."
exit 1
else
echo "::notice::All security scans completed successfully"
fi