name: "API: Security" on: push: branches: - "master" - "v5.*" paths: - 'api/**' - '.github/workflows/api-tests.yml' - '.github/workflows/api-security.yml' - '.github/actions/setup-python-uv/**' - '.github/actions/osv-scanner/**' - '.github/scripts/osv-scan.sh' pull_request: branches: - "master" - "v5.*" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: API_WORKING_DIR: ./api permissions: {} jobs: api-security-scans: runs-on: ubuntu-latest timeout-minutes: 15 permissions: contents: read pull-requests: write # osv-scanner action posts/updates a PR comment with findings strategy: matrix: python-version: - "3.12" defaults: run: working-directory: ./api steps: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: block allowed-endpoints: > pypi.org:443 files.pythonhosted.org:443 github.com:443 api.github.com:443 objects.githubusercontent.com:443 raw.githubusercontent.com:443 release-assets.githubusercontent.com:443 api.osv.dev:443 api.deps.dev:443 osv-vulnerabilities.storage.googleapis.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # zizmor: ignore[artipacked] persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch - name: Check for API changes id: check-changes uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files: | api/** .github/workflows/api-security.yml .github/actions/osv-scanner/** .github/scripts/osv-scan.sh files_ignore: | api/docs/** api/README.md api/CHANGELOG.md api/AGENTS.md - name: Setup Python with uv if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/setup-python-uv with: python-version: ${{ matrix.python-version }} working-directory: ./api - name: Bandit if: steps.check-changes.outputs.any_changed == 'true' # Exclude .venv because uv places the project venv inside ./api; otherwise # bandit would recurse into installed third-party packages. run: uv run bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r . - name: Dependency vulnerability scan with osv-scanner if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/osv-scanner with: lockfile: api/uv.lock - name: Vulture # Run even when osv-scanner reports findings so dead-code signal isn't masked by SCA failures. if: ${{ !cancelled() && steps.check-changes.outputs.any_changed == 'true' }} run: uv run vulture --exclude "contrib,tests,conftest.py,.venv" --min-confidence 100 .