forked from Traqora/astroml
-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (105 loc) · 3.77 KB
/
Copy pathsecurity.yml
File metadata and controls
131 lines (105 loc) · 3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Security Audit
on:
push:
branches: ["main", "master"]
pull_request:
branches: ["main", "master"]
schedule:
# Run weekly on Monday at 06:00 UTC to catch newly published CVEs.
- cron: "0 6 * * 1"
jobs:
# ---------------------------------------------------------------------------
# Python security tests (pytest)
# ---------------------------------------------------------------------------
python-security:
name: Python Security Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.10"
cache: pip
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pytest pytest-asyncio
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
pip install -e .
- name: Run security test suite
run: |
pytest tests/test_security.py -v --tb=short
# ---------------------------------------------------------------------------
# Python dependency vulnerability scan (pip-audit)
# ---------------------------------------------------------------------------
pip-audit:
name: Python Dependency Audit (pip-audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.10"
cache: pip
- name: Install pip-audit
run: pip install pip-audit
- name: Audit requirements.txt
run: |
pip-audit -r requirements.txt --desc on --format columns
continue-on-error: false
- name: Audit requirements-minimal.txt (if present)
run: |
if [ -f requirements-minimal.txt ]; then
pip-audit -r requirements-minimal.txt --desc on --format columns
fi
continue-on-error: true
# ---------------------------------------------------------------------------
# Secret scanning — detect hard-coded credentials in source
# ---------------------------------------------------------------------------
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # full history required by some scanners
- name: Scan for hard-coded secrets (gitleaks)
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# ---------------------------------------------------------------------------
# Rust / Soroban contract security tests
# ---------------------------------------------------------------------------
rust-security:
name: Rust Contract Security Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Cache Rust build artefacts
uses: Swatinem/rust-cache@v2
- name: Run security tests
run: |
cargo test security -- --nocapture
- name: Run full test suite
run: |
cargo test -- --nocapture
# ---------------------------------------------------------------------------
# Rust dependency vulnerability scan (cargo-audit)
# ---------------------------------------------------------------------------
cargo-audit:
name: Rust Dependency Audit (cargo-audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Audit Cargo.lock
run: cargo audit