name: SDK - Pull Request on: push: branches: - "master" - "v3" - "v4.*" - "v5.*" pull_request: branches: - "master" - "v3" - "v4.*" - "v5.*" jobs: build: runs-on: ubuntu-latest strategy: matrix: python-version: ["3.9", "3.10", "3.11", "3.12"] steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Test if changes are in not ignored paths id: are-non-ignored-files-changed uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: ./** files_ignore: | .github/** docs/** permissions/** api/** ui/** prowler/CHANGELOG.md README.md mkdocs.yml .backportrc.json .env docker-compose* examples/** .gitignore - name: Install poetry if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | python -m pip install --upgrade pip pipx install poetry==2.1.1 - name: Set up Python ${{ matrix.python-version }} if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ matrix.python-version }} cache: "poetry" - name: Install dependencies if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry install --no-root poetry run pip list VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \ grep '"tag_name":' | \ sed -E 's/.*"v([^"]+)".*/\1/' \ ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \ && chmod +x /tmp/hadolint - name: Poetry check if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry check --lock - name: Lint with flake8 if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib,ui,api - name: Checking format with black if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run black --exclude api ui --check . - name: Lint with pylint if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/ - name: Bandit if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r . - name: Safety if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run safety check --ignore 70612 -r pyproject.toml - name: Vulture if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 . - name: Dockerfile - Check if Dockerfile has changed id: dockerfile-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | Dockerfile - name: Hadolint if: steps.dockerfile-changed-files.outputs.any_changed == 'true' run: | /tmp/hadolint Dockerfile --ignore=DL3013 # Test AWS - name: AWS - Check if any file has changed id: aws-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/aws/** ./tests/providers/aws/** ./poetry.lock - name: AWS - Test if: steps.aws-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws # Test Azure - name: Azure - Check if any file has changed id: azure-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/azure/** ./tests/providers/azure/** ./poetry.lock - name: Azure - Test if: steps.azure-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/azure --cov-report=xml:azure_coverage.xml tests/providers/azure # Test GCP - name: GCP - Check if any file has changed id: gcp-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/gcp/** ./tests/providers/gcp/** ./poetry.lock - name: GCP - Test if: steps.gcp-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/gcp --cov-report=xml:gcp_coverage.xml tests/providers/gcp # Test Kubernetes - name: Kubernetes - Check if any file has changed id: kubernetes-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/kubernetes/** ./tests/providers/kubernetes/** ./poetry.lock - name: Kubernetes - Test if: steps.kubernetes-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/kubernetes --cov-report=xml:kubernetes_coverage.xml tests/providers/kubernetes # Test GitHub - name: GitHub - Check if any file has changed id: github-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/github/** ./tests/providers/github/** ./poetry.lock - name: GitHub - Test if: steps.github-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/github --cov-report=xml:github_coverage.xml tests/providers/github # Test NHN - name: NHN - Check if any file has changed id: nhn-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/nhn/** ./tests/providers/nhn/** ./poetry.lock - name: NHN - Test if: steps.nhn-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/nhn --cov-report=xml:nhn_coverage.xml tests/providers/nhn # Test M365 - name: M365 - Check if any file has changed id: m365-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/m365/** ./tests/providers/m365/** ./poetry.lock - name: M365 - Test if: steps.m365-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365 # Test IaC - name: IaC - Check if any file has changed id: iac-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/iac/** ./tests/providers/iac/** ./poetry.lock - name: IaC - Test if: steps.iac-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac # Test MongoDB Atlas - name: MongoDB Atlas - Check if any file has changed id: mongodb-atlas-changed-files uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: | ./prowler/providers/mongodbatlas/** ./tests/providers/mongodbatlas/** .poetry.lock - name: MongoDB Atlas - Test if: steps.mongodb-atlas-changed-files.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodb_atlas_coverage.xml tests/providers/mongodbatlas # Common Tests - name: Lib - Test if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/lib --cov-report=xml:lib_coverage.xml tests/lib - name: Config - Test if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' run: | poetry run pytest -n auto --cov=./prowler/config --cov-report=xml:config_coverage.xml tests/config # Codecov - name: Upload coverage reports to Codecov if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: flags: prowler files: ./aws_coverage.xml,./azure_coverage.xml,./gcp_coverage.xml,./kubernetes_coverage.xml,./github_coverage.xml,./nhn_coverage.xml,./m365_coverage.xml,./lib_coverage.xml,./config_coverage.xml