mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-01-25 02:08:11 +00:00
c8fab497fd
Co-authored-by: Alan-TheGentleman <alan@thegentleman.dev> Co-authored-by: pedrooot <pedromarting3@gmail.com> Co-authored-by: Andoni A. <14891798+andoniaf@users.noreply.github.com>
82 lines
2.2 KiB
YAML
82 lines
2.2 KiB
YAML
name: 'SDK: Security'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
pull_request:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
sdk-security-scans:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
|
|
- name: Check for SDK changes
|
|
id: check-changes
|
|
uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
|
|
with:
|
|
files:
|
|
./**
|
|
.github/workflows/sdk-security.yml
|
|
files_ignore: |
|
|
.github/**
|
|
prowler/CHANGELOG.md
|
|
docs/**
|
|
permissions/**
|
|
api/**
|
|
ui/**
|
|
dashboard/**
|
|
mcp_server/**
|
|
skills/**
|
|
README.md
|
|
mkdocs.yml
|
|
.backportrc.json
|
|
.env
|
|
docker-compose*
|
|
examples/**
|
|
.gitignore
|
|
contrib/**
|
|
**/AGENTS.md
|
|
|
|
- name: Install Poetry
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
run: pipx install poetry==2.1.1
|
|
|
|
- name: Set up Python 3.12
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
|
|
with:
|
|
python-version: '3.12'
|
|
cache: 'poetry'
|
|
|
|
- name: Install dependencies
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
run: poetry install --no-root
|
|
|
|
- name: Security scan with Bandit
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
run: poetry run bandit -q -lll -x '*_test.py,./contrib/,./api/,./ui' -r .
|
|
|
|
- name: Security scan with Safety
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
run: poetry run safety check -r pyproject.toml
|
|
|
|
- name: Dead code detection with Vulture
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
run: poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .
|