Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add enterprise compliance, plugins, CQRS, and event sourcing #51

Add enterprise compliance, plugins, CQRS, and event sourcing

Add enterprise compliance, plugins, CQRS, and event sourcing #51

Workflow file for this run

name: Security & Compliance Scan
on:
push:
branches: [ main, master, develop ]
pull_request:
branches: [ main, master, develop ]
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual trigger
permissions:
contents: read
security-events: write # For uploading SARIF results
jobs:
trivy-scan:
name: Trivy Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
exit-code: '0' # Don't fail build, just report
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Run Trivy in table format
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
severity: 'HIGH,CRITICAL'
exit-code: '0'
python-security:
name: Python Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install uv
uses: astral-sh/setup-uv@v5
with:
enable-cache: true
- name: Install dependencies
run: |
uv sync --group security
- name: Run Bandit security linter
run: |
uv run bandit -c pyproject.toml -r src/ -f json -o bandit-report.json || true
uv run bandit -c pyproject.toml -r src/ -f screen || true
- name: Run Safety scan
run: |
uv run safety scan --output json > safety-report.json || true
uv run safety scan || true
- name: Run pip-audit
run: |
uv run pip-audit --format json --output pip-audit-report.json || true
uv run pip-audit --desc || true
- name: Generate SBOM
run: |
uv run cyclonedx-py environment -o sbom.json --of JSON --sv 1.5 || true
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: sbom
path: sbom.json
if-no-files-found: ignore
- name: Upload security reports
uses: actions/upload-artifact@v4
if: always()
with:
name: security-reports
path: |
bandit-report.json
safety-report.json
pip-audit-report.json
if-no-files-found: ignore
license-compliance:
name: License Compliance Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install uv
uses: astral-sh/setup-uv@v5
with:
enable-cache: true
- name: Install dependencies
run: |
uv sync --group security
- name: Check license compatibility
run: |
timeout 60 uv run licensecheck --format text || true
- name: Generate license report
run: |
uv run pip-licenses --format=markdown --output-file=licenses.md || true
- name: Upload license report
uses: actions/upload-artifact@v4
if: always()
with:
name: license-report
path: licenses.md
if-no-files-found: ignore