oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a2f84648ab442a7e030e61b2f856215f3f011edc
aitbc/.gitea/workflows/security-scanning.yml
aitbc a2f84648ab
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Successful in 9s
Details
CLI Tests / test-cli (push) Failing after 6m49s
Details
Integration Tests / test-service-integration (push) Successful in 2m22s
Details
Package Tests / Python package - aitbc-agent-sdk (push) Failing after 26s
Details
Package Tests / Python package - aitbc-core (push) Failing after 10s
Details
Package Tests / Python package - aitbc-crypto (push) Failing after 5s
Details
Package Tests / Python package - aitbc-sdk (push) Failing after 2s
Details
Package Tests / JavaScript package - aitbc-sdk-js (push) Successful in 7s
Details
Package Tests / JavaScript package - aitbc-token (push) Successful in 16s
Details
Production Tests / Production Integration Tests (push) Failing after 1m21s
Details
Python Tests / test-python (push) Has been cancelled
Details
Security Scanning / security-scan (push) Failing after 13s
Details
Staking Tests / test-staking-service (push) Failing after 1m13s
Details
Staking Tests / test-staking-integration (push) Has been skipped
Details
Staking Tests / test-staking-contract (push) Has been skipped
Details
Staking Tests / run-staking-test-runner (push) Has been skipped
Details
ci: standardize Python venv setup across all workflows using setup-python-venv.sh script 
Replaced manual venv creation and pip install commands with calls to scripts/ci/setup-python-venv.sh across all CI workflows. The script provides consistent venv setup with configurable options for requirements installation, copy mode, and extra packages.

- Changed from manual `python3 -m venv` + `pip install` to setup-python-venv.sh in all workflows
- Added --skip-requirements flag where workflows don't need requirements
2026-04-19 21:05:26 +02:00

131 lines
4.7 KiB
YAML
Raw Blame History

name: Security Scanning
on:
push:
branches: [main, develop]
paths:
- 'apps/**'
- 'packages/**'
- 'cli/**'
- '.gitea/workflows/security-scanning.yml'
pull_request:
branches: [main, develop]
schedule:
- cron: '0 3 * * 1'
workflow_dispatch:
concurrency:
group: security-scanning-${{ github.ref }}
cancel-in-progress: true
jobs:
security-scan:
runs-on: debian
timeout-minutes: 15
steps:
- name: Clone repository
run: |
WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
rm -rf "$WORKSPACE"
mkdir -p "$WORKSPACE"
cd "$WORKSPACE"
git clone --depth 2 http://gitea.bubuit.net:3000/oib/aitbc.git repo
cd repo
git fetch --depth 2 origin "${{ github.ref }}"
git checkout --detach FETCH_HEAD
- name: Setup tools
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
# Ensure standard directories exist
mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
bash scripts/ci/setup-python-venv.sh \
--repo-dir "$PWD" \
--venv-dir "$PWD/venv" \
--skip-requirements \
--extra-packages "bandit pip-audit"
echo "✅ Security tools installed"
- name: Python dependency audit
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
source venv/bin/activate
echo "=== Dependency Audit ==="
pip-audit -r requirements.txt --desc
echo "✅ Dependency audit completed"
- name: Bandit security scan
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
source venv/bin/activate
echo "=== Bandit Security Scan ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
bandit -r apps/ packages/py/ cli/ \
-s B101,B311 \
--severity-level medium \
-f txt -q
else
mapfile -t python_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true)
if [[ ${#python_files[@]} -eq 0 ]]; then
echo "✅ No changed Python files to scan"
exit 0
fi
printf '%s\n' "${python_files[@]}"
bandit \
-s B101,B311 \
--severity-level medium \
-f txt -q \
"${python_files[@]}"
fi
echo "✅ Bandit scan completed"
- name: Check for secrets
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Secret Detection ==="
# Simple pattern check for leaked secrets
secret_matches=$(mktemp)
password_matches=$(mktemp)
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
else
mapfile -t changed_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true)
if [[ ${#changed_files[@]} -eq 0 ]]; then
echo "✅ No changed files to scan for secrets"
rm -f "$secret_matches" "$password_matches"
exit 0
fi
grep -InE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -InE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
fi
if [[ -s "$secret_matches" ]]; then
echo "❌ Possible secrets found"
cat "$secret_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
if [[ -s "$password_matches" ]]; then
echo "❌ Possible hardcoded passwords"
head -5 "$password_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
rm -f "$secret_matches" "$password_matches"
echo "✅ No hardcoded secrets detected"
- name: Cleanup
if: always()
run: rm -rf /var/lib/aitbc-workspaces/security-scan
Reference in New Issue View Git Blame Copy Permalink