Add GitHub Action for automated security scanning
Browse files
.github/workflows/security-scan.yml
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
name: Security Scan & Auto-Guardian
|
| 2 |
+
|
| 3 |
+
on:
|
| 4 |
+
push:
|
| 5 |
+
branches: [ main, master ]
|
| 6 |
+
pull_request:
|
| 7 |
+
branches: [ main, master ]
|
| 8 |
+
|
| 9 |
+
jobs:
|
| 10 |
+
scan:
|
| 11 |
+
runs-on: ubuntu-latest
|
| 12 |
+
steps:
|
| 13 |
+
- uses: actions/checkout@v3
|
| 14 |
+
|
| 15 |
+
- name: Set up Python
|
| 16 |
+
uses: actions/setup-python@v4
|
| 17 |
+
with:
|
| 18 |
+
python-version: '3.11'
|
| 19 |
+
|
| 20 |
+
- name: Install dependencies
|
| 21 |
+
run: |
|
| 22 |
+
python -m pip install --upgrade pip
|
| 23 |
+
if [ -f core_system/requirements.txt ]; then pip install -r core_system/requirements.txt; fi
|
| 24 |
+
pip install bandit safety
|
| 25 |
+
|
| 26 |
+
- name: Run Security Scan (Bandit)
|
| 27 |
+
run: |
|
| 28 |
+
bandit -r core_system/ -f json -o security-report.json || true
|
| 29 |
+
|
| 30 |
+
- name: Run Dependency Check (Safety)
|
| 31 |
+
run: |
|
| 32 |
+
safety check || true
|
| 33 |
+
|
| 34 |
+
- name: Upload Scan Results
|
| 35 |
+
uses: actions/upload-artifact@v3
|
| 36 |
+
with:
|
| 37 |
+
name: security-reports
|
| 38 |
+
path: security-report.json
|