oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3a5e8782ca932a1b8f17e65b06d4cc302f6ff68e
aitbc/.gitea/workflows/security-scanning.yml
aitbc 3a5e8782ca
Some checks failed
Security Scanning / security-scan (push) Failing after 2s
Details
ci: fix venv activation in security scanning workflow 
Changed from `source venv/bin/activate` to direct venv/bin/pip-audit and venv/bin/bandit calls to match the pattern used in other workflows for more reliable venv usage.
2026-04-19 21:21:49 +02:00

129 lines
4.6 KiB
YAML
Raw Blame History

name: Security Scanning
on:
push:
branches: [main, develop]
paths:
- 'apps/**'
- 'packages/**'
- 'cli/**'
- '.gitea/workflows/security-scanning.yml'
pull_request:
branches: [main, develop]
schedule:
- cron: '0 3 * * 1'
workflow_dispatch:
concurrency:
group: security-scanning-${{ github.ref }}
cancel-in-progress: true
jobs:
security-scan:
runs-on: debian
timeout-minutes: 15
steps:
- name: Clone repository
run: |
WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
rm -rf "$WORKSPACE"
mkdir -p "$WORKSPACE"
cd "$WORKSPACE"
git clone --depth 2 http://gitea.bubuit.net:3000/oib/aitbc.git repo
cd repo
git fetch --depth 2 origin "${{ github.ref }}"
git checkout --detach FETCH_HEAD
- name: Setup tools
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
# Ensure standard directories exist
mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
bash scripts/ci/setup-python-venv.sh \
--repo-dir "$PWD" \
--venv-dir "$PWD/venv" \
--skip-requirements \
--extra-packages "bandit pip-audit"
echo "✅ Security tools installed"
- name: Python dependency audit
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Dependency Audit ==="
venv/bin/pip-audit -r requirements.txt --desc
echo "✅ Dependency audit completed"
- name: Bandit security scan
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Bandit Security Scan ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
venv/bin/bandit -r apps/ packages/py/ cli/ \
-s B101,B311 \
--severity-level medium \
-f txt -q
else
mapfile -t python_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true)
if [[ ${#python_files[@]} -eq 0 ]]; then
echo "✅ No changed Python files to scan"
exit 0
fi
printf '%s\n' "${python_files[@]}"
venv/bin/bandit \
-s B101,B311 \
--severity-level medium \
-f txt -q \
"${python_files[@]}"
fi
echo "✅ Bandit scan completed"
- name: Check for secrets
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Secret Detection ==="
# Simple pattern check for leaked secrets
secret_matches=$(mktemp)
password_matches=$(mktemp)
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
else
mapfile -t changed_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true)
if [[ ${#changed_files[@]} -eq 0 ]]; then
echo "✅ No changed files to scan for secrets"
rm -f "$secret_matches" "$password_matches"
exit 0
fi
grep -InE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -InE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
fi
if [[ -s "$secret_matches" ]]; then
echo "❌ Possible secrets found"
cat "$secret_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
if [[ -s "$password_matches" ]]; then
echo "❌ Possible hardcoded passwords"
head -5 "$password_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
rm -f "$secret_matches" "$password_matches"
echo "✅ No hardcoded secrets detected"
- name: Cleanup
if: always()
run: rm -rf /var/lib/aitbc-workspaces/security-scan
Reference in New Issue View Git Blame Copy Permalink