ci: optimize security scanning to only check changed files on push/PR
Some checks failed
Security Scanning / security-scan (push) Failing after 33s
Some checks failed
Security Scanning / security-scan (push) Failing after 33s
Added conditional logic to security-scanning.yml to scan only changed files during push/PR events while maintaining full scans for scheduled and manual runs. - Bandit now scans only modified Python files on push/PR using git diff - Secret scanning now checks only changed files on push/PR - Both tools still perform full repository scans on schedule/workflow_dispatch - Added early exit when no relevant files changed to avoid unnecessary processing
This commit is contained in:
aitbc
@@ -57,10 +57,26 @@ jobs:
|
|||||||
cd /var/lib/aitbc-workspaces/security-scan/repo
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
||||||
source venv/bin/activate
|
source venv/bin/activate
|
||||||
echo "=== Bandit Security Scan ==="
|
echo "=== Bandit Security Scan ==="
|
||||||
|
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
|
||||||
bandit -r apps/ packages/py/ cli/ \
|
bandit -r apps/ packages/py/ cli/ \
|
||||||
-s B101,B311 \
|
-s B101,B311 \
|
||||||
--severity-level medium \
|
--severity-level medium \
|
||||||
-f txt -q
|
-f txt -q
|
||||||
|
else
|
||||||
|
mapfile -t python_files < <(git show --name-only --pretty="" --diff-filter=ACMR HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true)
|
||||||
|
|
||||||
|
if [[ ${#python_files[@]} -eq 0 ]]; then
|
||||||
|
echo "✅ No changed Python files to scan"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf '%s\n' "${python_files[@]}"
|
||||||
|
bandit \
|
||||||
|
-s B101,B311 \
|
||||||
|
--severity-level medium \
|
||||||
|
-f txt -q \
|
||||||
|
"${python_files[@]}"
|
||||||
|
fi
|
||||||
echo "✅ Bandit scan completed"
|
echo "✅ Bandit scan completed"
|
||||||
|
|
||||||
- name: Check for secrets
|
- name: Check for secrets
|
||||||
@@ -71,8 +87,21 @@ jobs:
|
|||||||
secret_matches=$(mktemp)
|
secret_matches=$(mktemp)
|
||||||
password_matches=$(mktemp)
|
password_matches=$(mktemp)
|
||||||
|
|
||||||
|
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
|
||||||
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
|
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
|
||||||
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
|
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
|
||||||
|
else
|
||||||
|
mapfile -t changed_files < <(git show --name-only --pretty="" --diff-filter=ACMR HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true)
|
||||||
|
|
||||||
|
if [[ ${#changed_files[@]} -eq 0 ]]; then
|
||||||
|
echo "✅ No changed files to scan for secrets"
|
||||||
|
rm -f "$secret_matches" "$password_matches"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
grep -InE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
|
||||||
|
grep -InE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ -s "$secret_matches" ]]; then
|
if [[ -s "$secret_matches" ]]; then
|
||||||
echo "❌ Possible secrets found"
|
echo "❌ Possible secrets found"
|
||||||
|
|||||||
Reference in New Issue
Block a user