fix: CI reports dir missing + detect-secrets flagging baseline finger… #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ───────────────────────────────────────────────────────────────────────────── | |
| # DevSec Vault — Security Scanning Pipeline | |
| # Runs on every push and PR: | |
| # 1. Secret scanning with DevSec Vault (file + history) | |
| # 2. CodeQL static analysis | |
| # 3. Dependency vulnerability check (pip-audit) | |
| # 4. SARIF upload to GitHub Code Scanning | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| name: Security | |
| on: | |
| push: | |
| branches: ["main", "develop"] | |
| pull_request: | |
| schedule: | |
| - cron: "0 3 * * 1" # Weekly Monday 03:00 UTC | |
| permissions: | |
| contents: read | |
| security-events: write # Required for SARIF upload | |
| jobs: | |
| # ── 1. Secret Scanning ──────────────────────────────────────────────────── | |
| secret-scan: | |
| name: Secret Scan (file + history) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout (full history) | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Required for history scan | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| cache: "pip" | |
| - name: Install DevSec Vault dependencies | |
| run: pip install click rich | |
| - name: Create reports directory | |
| run: mkdir -p reports | |
| - name: Scan source files | |
| run: | | |
| python src/cli.py scan src/ \ | |
| --format json \ | |
| --output reports/file-scan.json \ | |
| --baseline .devsec-baseline.json \ | |
| --fail-on high | |
| continue-on-error: false | |
| - name: Scan git history (last 300 commits) | |
| run: | | |
| python src/cli.py history \ | |
| --max-commits 300 \ | |
| --format sarif \ | |
| --output reports/history-scan.sarif \ | |
| --baseline .devsec-baseline.json | |
| continue-on-error: true # Don't fail pipeline on pre-existing history findings | |
| - name: Upload SARIF (history scan) | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() && hashFiles('reports/history-scan.sarif') != '' | |
| with: | |
| sarif_file: reports/history-scan.sarif | |
| category: devsec-vault-history | |
| - name: Upload scan artifacts | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: scan-reports | |
| path: reports/ | |
| retention-days: 30 | |
| # ── 2. CodeQL Analysis ──────────────────────────────────────────────────── | |
| codeql: | |
| name: CodeQL (Python) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: python | |
| queries: security-and-quality | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:python" | |
| # ── 3. Dependency Audit ─────────────────────────────────────────────────── | |
| dependency-audit: | |
| name: Dependency Audit (pip-audit) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install pip-audit | |
| run: pip install pip-audit | |
| - name: Create reports directory | |
| run: mkdir -p reports | |
| - name: Run pip-audit | |
| run: | | |
| pip-audit \ | |
| --requirement requirements.txt \ | |
| --format json \ | |
| --output reports/pip-audit.json \ | |
| --progress-spinner off || true | |
| continue-on-error: true | |
| - name: Upload audit report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: dependency-audit | |
| path: reports/pip-audit.json | |
| retention-days: 30 | |
| # ── 4. Unit Tests ───────────────────────────────────────────────────────── | |
| test: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: pip install click rich pytest | |
| - name: Run tests | |
| run: pytest tests/ -v --tb=short |