Merge pull request #3 from aws/dependabot/github_actions/softprops/ac… #7

Workflow file for this run

.github/workflows/security-scanning.yml at 00190d6

	name: Security Scanning

	on:
	push:
	branches: [ main ]
	pull_request:
	branches: [ main ]
	schedule:
	- cron: '0 2 * * 1'

	permissions:
	contents: read
	security-events: write
	actions: read

	jobs:
	secret-scan:
	name: Secret Scanning
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	# Only TruffleHog - Gitleaks requires license
	- name: TruffleHog OSS
	uses: trufflesecurity/[email protected]
	with:
	path: ./
	extra_args: --debug --only-verified

	# Skip CodeQL - requires GitHub Advanced Security
	bandit:
	name: Bandit Security Scan
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.10'

	- name: Install uv
	run: \|
	curl -LsSf https://astral.sh/uv/install.sh \| sh
	echo "$HOME/.local/bin" >> $GITHUB_PATH

	- name: Create virtual environment
	run: uv venv

	- name: Install Bandit
	run: uv pip install bandit[toml]

	- name: Run Bandit
	run: uv run bandit -r src/ -f json -o bandit-report.json \|\| true

	- name: Upload Bandit results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: bandit-results
	path: bandit-report.json

	safety:
	name: Safety Dependency Check
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.10'

	- name: Install uv
	run: \|
	curl -LsSf https://astral.sh/uv/install.sh \| sh
	echo "$HOME/.local/bin" >> $GITHUB_PATH

	- name: Create virtual environment
	run: uv venv

	- name: Install dependencies with uv
	run: \|
	uv sync
	uv pip install safety

	- name: Run Safety check
	run: \|
	uv run safety check --json --output safety-report.json \|\| true

	- name: Upload Safety results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: safety-results
	path: safety-report.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #3 from aws/dependabot/github_actions/softprops/ac… #7

Workflow file

Merge pull request #3 from aws/dependabot/github_actions/softprops/ac… #7

Uh oh!

Jobs

Run details

Workflow file for this run