chore(deps): bump the documentation group with 2 updates #439
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: ['**'] | |
| pull_request: | |
| branches: ['**'] | |
| schedule: | |
| - cron: '0 0 * * 1' # Weekly on Monday | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libhdf5-dev pkg-config | |
| - name: Install security tools | |
| run: | | |
| python -m pip install --upgrade pip wheel | |
| pip install bandit[toml] safety pip-audit | |
| - name: Run Bandit security scan | |
| run: | | |
| mkdir -p security-results | |
| bandit -r solarwindpy -ll -f json -o security-results/bandit-report.json | |
| bandit -r solarwindpy -ll -f txt -o security-results/bandit-report.txt | |
| bandit -r solarwindpy -ll # Display to console | |
| continue-on-error: true | |
| - name: Run Safety check | |
| run: | | |
| # Install pytables separately with verbose output for debugging | |
| pip install --verbose tables | |
| pip install -r requirements-dev.lock | |
| safety check --requirement requirements-dev.lock --json > security-results/safety-report.json | |
| safety check --requirement requirements-dev.lock --output text > security-results/safety-report.txt | |
| safety check --requirement requirements-dev.lock # Display to console | |
| continue-on-error: true | |
| - name: Run pip-audit | |
| run: | | |
| pip-audit --requirement requirements-dev.lock --format json > security-results/pip-audit-report.json | |
| pip-audit --requirement requirements-dev.lock --format text > security-results/pip-audit-report.txt | |
| pip-audit --requirement requirements-dev.lock # Display to console | |
| continue-on-error: true | |
| - name: Upload security reports | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-reports-${{ github.run_id }} | |
| path: security-results/ | |
| retention-days: 90 | |
| - name: Check for critical vulnerabilities | |
| run: | | |
| # Parse reports and fail if critical issues found | |
| python -c " | |
| import json | |
| import sys | |
| critical = False | |
| # Check bandit report | |
| try: | |
| with open('security-results/bandit-report.json') as f: | |
| bandit = json.load(f) | |
| high_severity = [r for r in bandit.get('results', []) | |
| if r.get('issue_severity') == 'HIGH'] | |
| if high_severity: | |
| print(f'Found {len(high_severity)} high severity issues in Bandit scan') | |
| critical = True | |
| except Exception as e: | |
| print(f'Could not parse bandit report: {e}') | |
| if critical: | |
| sys.exit(1) | |
| " |