From 9cdb541609c0f0e62bc8646c5100883ec91859ab Mon Sep 17 00:00:00 2001 From: aitbc Date: Sun, 19 Apr 2026 20:30:18 +0200 Subject: [PATCH] ci: optimize security scanning to only check changed files on push/PR Added conditional logic to security-scanning.yml to scan only changed files during push/PR events while maintaining full scans for scheduled and manual runs. - Bandit now scans only modified Python files on push/PR using git diff - Secret scanning now checks only changed files on push/PR - Both tools still perform full repository scans on schedule/workflow_dispatch - Added early exit when no relevant files changed to avoid unnecessary processing --- .gitea/workflows/security-scanning.yml | 41 ++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/security-scanning.yml b/.gitea/workflows/security-scanning.yml index d90e1228..86f58931 100644 --- a/.gitea/workflows/security-scanning.yml +++ b/.gitea/workflows/security-scanning.yml @@ -57,10 +57,26 @@ jobs: cd /var/lib/aitbc-workspaces/security-scan/repo source venv/bin/activate echo "=== Bandit Security Scan ===" - bandit -r apps/ packages/py/ cli/ \ - -s B101,B311 \ - --severity-level medium \ - -f txt -q + if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then + bandit -r apps/ packages/py/ cli/ \ + -s B101,B311 \ + --severity-level medium \ + -f txt -q + else + mapfile -t python_files < <(git show --name-only --pretty="" --diff-filter=ACMR HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true) + + if [[ ${#python_files[@]} -eq 0 ]]; then + echo "✅ No changed Python files to scan" + exit 0 + fi + + printf '%s\n' "${python_files[@]}" + bandit \ + -s B101,B311 \ + --severity-level medium \ + -f txt -q \ + "${python_files[@]}" + fi echo "✅ Bandit scan completed" - name: Check for secrets @@ -71,8 +87,21 @@ jobs: secret_matches=$(mktemp) password_matches=$(mktemp) - grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true - grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true + if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then + grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true + grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true + else + mapfile -t changed_files < <(git show --name-only --pretty="" --diff-filter=ACMR HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true) + + if [[ ${#changed_files[@]} -eq 0 ]]; then + echo "✅ No changed files to scan for secrets" + rm -f "$secret_matches" "$password_matches" + exit 0 + fi + + grep -InE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true + grep -InE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true + fi if [[ -s "$secret_matches" ]]; then echo "❌ Possible secrets found"