security.yml

name: Security Scan

on:
  push:
    branches: ['**']
  pull_request:
    branches: ['**']
  schedule:
    - cron: '0 0 * * 1'  # Weekly on Monday

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      
      - name: Install system dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libhdf5-dev pkg-config
      
      - name: Install security tools
        run: |
          python -m pip install --upgrade pip wheel
          pip install bandit[toml] safety pip-audit
      
      - name: Run Bandit security scan
        run: |
          mkdir -p security-results
          bandit -r solarwindpy -ll -f json -o security-results/bandit-report.json
          bandit -r solarwindpy -ll -f txt -o security-results/bandit-report.txt
          bandit -r solarwindpy -ll  # Display to console
        continue-on-error: true
      
      - name: Run Safety check
        run: |
          # Install pytables separately with verbose output for debugging
          pip install --verbose tables
          pip install -r requirements-dev.lock
          safety check --requirement requirements-dev.lock --json > security-results/safety-report.json
          safety check --requirement requirements-dev.lock --output text > security-results/safety-report.txt
          safety check --requirement requirements-dev.lock  # Display to console
        continue-on-error: true
      
      - name: Run pip-audit
        run: |
          pip-audit --requirement requirements-dev.lock --format json > security-results/pip-audit-report.json
          pip-audit --requirement requirements-dev.lock --format text > security-results/pip-audit-report.txt
          pip-audit --requirement requirements-dev.lock  # Display to console
        continue-on-error: true
      
      - name: Upload security reports
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-reports-${{ github.run_id }}
          path: security-results/
          retention-days: 90
      
      - name: Check for critical vulnerabilities
        run: |
          # Parse reports and fail if critical issues found
          python -c "
          import json
          import sys
          
          critical = False
          
          # Check bandit report
          try:
              with open('security-results/bandit-report.json') as f:
                  bandit = json.load(f)
                  high_severity = [r for r in bandit.get('results', []) 
                                   if r.get('issue_severity') == 'HIGH']
                  if high_severity:
                      print(f'Found {len(high_severity)} high severity issues in Bandit scan')
                      critical = True
          except Exception as e:
              print(f'Could not parse bandit report: {e}')
          
          if critical:
              sys.exit(1)
          "