.github/workflows/security.yml · Secure CI/CD Pipeline

93 lines · yaml

name: security-pipeline
 
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:
 
permissions:
  contents: read
  security-events: write
 
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install ruff==0.6.9
      - run: ruff check .
 
  sast:
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - uses: actions/checkout@v4
      - uses: returntocorp/semgrep-action@v1
        with:
          config: >-
            p/default
            p/python
            p/flask
            .semgrep/rules.yml
          generateSarif: "1"
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: semgrep.sarif
          category: semgrep
 
  secrets:
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITLEAKS_CONFIG: .gitleaks.toml
 
  dependencies:
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install pip-audit==2.7.3
      - run: pip-audit -r requirements.txt --strict --desc
 
  test:
    runs-on: ubuntu-latest
    needs: [sast, secrets, dependencies]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install -r requirements-dev.txt
      - run: pytest --cov=app --cov-report=term-missing
 
  notify-soc:
    runs-on: ubuntu-latest
    needs: [test]
    if: always()
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: python scripts/notify_soc.py
        env:
          SHUFFLE_WEBHOOK_URL: ${{ secrets.SHUFFLE_WEBHOOK_URL }}
          PIPELINE_STATUS: ${{ needs.test.result }}
          REPO: ${{ github.repository }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          COMMIT: ${{ github.sha }}
          ACTOR: ${{ github.actor }}

1	name: security-pipeline
2
3	on:
4	push:
5	branches: [main]
6	pull_request:
7	branches: [main]
8	workflow_dispatch:
9
10	permissions:
11	contents: read
12	security-events: write
13
14	jobs:
15	lint:
16	runs-on: ubuntu-latest
17	steps:
18	- uses: actions/checkout@v4
19	- uses: actions/setup-python@v5
20	with:
21	python-version: "3.11"
22	- run: pip install ruff==0.6.9
23	- run: ruff check .
24
25	sast:
26	runs-on: ubuntu-latest
27	needs: lint
28	steps:
29	- uses: actions/checkout@v4
30	- uses: returntocorp/semgrep-action@v1
31	with:
32	config: >-
33	p/default
34	p/python
35	p/flask
36	.semgrep/rules.yml
37	generateSarif: "1"
38	- uses: github/codeql-action/upload-sarif@v3
39	if: always()
40	with:
41	sarif_file: semgrep.sarif
42	category: semgrep
43
44	secrets:
45	runs-on: ubuntu-latest
46	needs: lint
47	steps:
48	- uses: actions/checkout@v4
49	with:
50	fetch-depth: 0
51	- uses: gitleaks/gitleaks-action@v2
52	env:
53	GITLEAKS_CONFIG: .gitleaks.toml
54
55	dependencies:
56	runs-on: ubuntu-latest
57	needs: lint
58	steps:
59	- uses: actions/checkout@v4
60	- uses: actions/setup-python@v5
61	with:
62	python-version: "3.11"
63	- run: pip install pip-audit==2.7.3
64	- run: pip-audit -r requirements.txt --strict --desc
65
66	test:
67	runs-on: ubuntu-latest
68	needs: [sast, secrets, dependencies]
69	steps:
70	- uses: actions/checkout@v4
71	- uses: actions/setup-python@v5
72	with:
73	python-version: "3.11"
74	- run: pip install -r requirements-dev.txt
75	- run: pytest --cov=app --cov-report=term-missing
76
77	notify-soc:
78	runs-on: ubuntu-latest
79	needs: [test]
80	if: always()
81	steps:
82	- uses: actions/checkout@v4
83	- uses: actions/setup-python@v5
84	with:
85	python-version: "3.11"
86	- run: python scripts/notify_soc.py
87	env:
88	SHUFFLE_WEBHOOK_URL: ${{ secrets.SHUFFLE_WEBHOOK_URL }}
89	PIPELINE_STATUS: ${{ needs.test.result }}
90	REPO: ${{ github.repository }}
91	RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
92	COMMIT: ${{ github.sha }}
93	ACTOR: ${{ github.actor }}