Add enterprise compliance, plugins, CQRS, and event sourcing #51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security & Compliance Scan | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master, develop ] | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: # Allow manual trigger | |
| permissions: | |
| contents: read | |
| security-events: write # For uploading SARIF results | |
| jobs: | |
| trivy-scan: | |
| name: Trivy Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'HIGH,CRITICAL' | |
| exit-code: '0' # Don't fail build, just report | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Run Trivy in table format | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'table' | |
| severity: 'HIGH,CRITICAL' | |
| exit-code: '0' | |
| python-security: | |
| name: Python Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v5 | |
| with: | |
| enable-cache: true | |
| - name: Install dependencies | |
| run: | | |
| uv sync --group security | |
| - name: Run Bandit security linter | |
| run: | | |
| uv run bandit -c pyproject.toml -r src/ -f json -o bandit-report.json || true | |
| uv run bandit -c pyproject.toml -r src/ -f screen || true | |
| - name: Run Safety scan | |
| run: | | |
| uv run safety scan --output json > safety-report.json || true | |
| uv run safety scan || true | |
| - name: Run pip-audit | |
| run: | | |
| uv run pip-audit --format json --output pip-audit-report.json || true | |
| uv run pip-audit --desc || true | |
| - name: Generate SBOM | |
| run: | | |
| uv run cyclonedx-py environment -o sbom.json --of JSON --sv 1.5 || true | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: sbom | |
| path: sbom.json | |
| if-no-files-found: ignore | |
| - name: Upload security reports | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-reports | |
| path: | | |
| bandit-report.json | |
| safety-report.json | |
| pip-audit-report.json | |
| if-no-files-found: ignore | |
| license-compliance: | |
| name: License Compliance Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v5 | |
| with: | |
| enable-cache: true | |
| - name: Install dependencies | |
| run: | | |
| uv sync --group security | |
| - name: Check license compatibility | |
| run: | | |
| timeout 60 uv run licensecheck --format text || true | |
| - name: Generate license report | |
| run: | | |
| uv run pip-licenses --format=markdown --output-file=licenses.md || true | |
| - name: Upload license report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: license-report | |
| path: licenses.md | |
| if-no-files-found: ignore |