deps: update sse-starlette requirement from <3.0,>=2.0 to >=2.0,<4.0 #6
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run weekly on Monday at 06:00 UTC | |
| - cron: "0 6 * * 1" | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [python, javascript] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: +security-extended | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| trivy-image: | |
| name: Trivy Container Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build Docker image | |
| run: docker build -t formicos:scan . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| image-ref: "formicos:scan" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| severity: "CRITICAL,HIGH" | |
| exit-code: "0" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| trivy-fs: | |
| name: Trivy Filesystem Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy filesystem scanner | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| scan-type: "fs" | |
| scan-ref: "." | |
| format: "sarif" | |
| output: "trivy-fs-results.sarif" | |
| severity: "CRITICAL,HIGH" | |
| exit-code: "0" | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: "trivy-fs-results.sarif" | |
| sbom: | |
| name: SBOM Generation | |
| runs-on: ubuntu-latest | |
| # Only generate SBOM on main branch pushes (release candidates) | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate SBOM with Syft | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| - name: Upload SBOM as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.spdx.json | |
| retention-days: 90 | |
| slsa-provenance: | |
| name: SLSA Provenance | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build Docker image | |
| run: docker build -t formicos:provenance . | |
| - name: Generate provenance attestation | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: formicos | |
| subject-digest: "sha256:placeholder" | |
| push-to-registry: false | |
| # NOTE: Full SLSA provenance requires additional admin setup. | |
| # See docs/GITHUB_ADMIN_SETUP.md for the required configuration. |