mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-05-06 08:47:18 +00:00
dependabot[bot]
1c64dd94e6
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.16.0 to 2.19.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594...8d3c67de8e2fe68ef647c8db1e6a09f647780f40) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
100 lines
2.8 KiB
YAML
100 lines
2.8 KiB
YAML
name: "API: Security"
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- "master"
|
|
- "v5.*"
|
|
paths:
|
|
- 'api/**'
|
|
- '.github/workflows/api-tests.yml'
|
|
- '.github/workflows/api-security.yml'
|
|
- '.github/actions/setup-python-poetry/**'
|
|
pull_request:
|
|
branches:
|
|
- "master"
|
|
- "v5.*"
|
|
paths:
|
|
- 'api/**'
|
|
- '.github/workflows/api-tests.yml'
|
|
- '.github/workflows/api-security.yml'
|
|
- '.github/actions/setup-python-poetry/**'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
API_WORKING_DIR: ./api
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
api-security-scans:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
permissions:
|
|
contents: read
|
|
strategy:
|
|
matrix:
|
|
python-version:
|
|
- "3.12"
|
|
defaults:
|
|
run:
|
|
working-directory: ./api
|
|
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
pypi.org:443
|
|
files.pythonhosted.org:443
|
|
github.com:443
|
|
auth.safetycli.com:443
|
|
pyup.io:443
|
|
data.safetycli.com:443
|
|
api.github.com:443
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# zizmor: ignore[artipacked]
|
|
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
|
|
- name: Check for API changes
|
|
id: check-changes
|
|
uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
|
|
with:
|
|
files: |
|
|
api/**
|
|
.github/workflows/api-security.yml
|
|
.safety-policy.yml
|
|
files_ignore: |
|
|
api/docs/**
|
|
api/README.md
|
|
api/CHANGELOG.md
|
|
api/AGENTS.md
|
|
|
|
- name: Setup Python with Poetry
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: ./.github/actions/setup-python-poetry
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
working-directory: ./api
|
|
update-lock: 'true'
|
|
|
|
- name: Bandit
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
|
|
|
|
- name: Safety
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
# Accepted CVEs, severity threshold, and ignore expirations live in ../.safety-policy.yml
|
|
run: poetry run safety check --policy-file ../.safety-policy.yml
|
|
|
|
- name: Vulture
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
|