name: 'API: Security' on: push: branches: - 'master' - 'v5.*' pull_request: branches: - 'master' - 'v5.*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: API_WORKING_DIR: ./api jobs: api-security-scans: runs-on: ubuntu-latest timeout-minutes: 15 permissions: contents: read strategy: matrix: python-version: - '3.12' defaults: run: working-directory: ./api steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check for API changes id: check-changes uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | api/** .github/workflows/api-security.yml files_ignore: | api/docs/** api/README.md api/CHANGELOG.md - name: Setup Python with Poetry if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/setup-python-poetry with: python-version: ${{ matrix.python-version }} working-directory: ./api - name: Bandit if: steps.check-changes.outputs.any_changed == 'true' run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r . - name: Safety if: steps.check-changes.outputs.any_changed == 'true' # 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X run: poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745 - name: Vulture if: steps.check-changes.outputs.any_changed == 'true' run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .