prowler/.github/workflows/api-security.yml

name: "API: Security"

on:
  push:
    branches:
      - "master"
      - "v5.*"
  pull_request:
    branches:
      - "master"
      - "v5.*"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  API_WORKING_DIR: ./api

jobs:
  api-security-scans:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
    strategy:
      matrix:
        python-version:
          - "3.12"
    defaults:
      run:
        working-directory: ./api

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for API changes
        id: check-changes
        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
        with:
          files: |
            api/**
            .github/workflows/api-security.yml
          files_ignore: |
            api/docs/**
            api/README.md
            api/CHANGELOG.md
            api/AGENTS.md

      - name: Setup Python with Poetry
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
          working-directory: ./api

      - name: Bandit
        if: steps.check-changes.outputs.any_changed == 'true'
        run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .

      - name: Safety
        if: steps.check-changes.outputs.any_changed == 'true'
        run: poetry run safety check --ignore 79023,79027
        # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0

      - name: Vulture
        if: steps.check-changes.outputs.any_changed == 'true'
        run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .