Skip to content

fix: CI reports dir missing + detect-secrets flagging baseline finger… #2

fix: CI reports dir missing + detect-secrets flagging baseline finger…

fix: CI reports dir missing + detect-secrets flagging baseline finger… #2

Workflow file for this run

# ─────────────────────────────────────────────────────────────────────────────
# DevSec Vault — Security Scanning Pipeline
# Runs on every push and PR:
# 1. Secret scanning with DevSec Vault (file + history)
# 2. CodeQL static analysis
# 3. Dependency vulnerability check (pip-audit)
# 4. SARIF upload to GitHub Code Scanning
# ─────────────────────────────────────────────────────────────────────────────
name: Security
on:
push:
branches: ["main", "develop"]
pull_request:
schedule:
- cron: "0 3 * * 1" # Weekly Monday 03:00 UTC
permissions:
contents: read
security-events: write # Required for SARIF upload
jobs:
# ── 1. Secret Scanning ────────────────────────────────────────────────────
secret-scan:
name: Secret Scan (file + history)
runs-on: ubuntu-latest
steps:
- name: Checkout (full history)
uses: actions/checkout@v4
with:
fetch-depth: 0 # Required for history scan
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install DevSec Vault dependencies
run: pip install click rich
- name: Create reports directory
run: mkdir -p reports
- name: Scan source files
run: |
python src/cli.py scan src/ \
--format json \
--output reports/file-scan.json \
--baseline .devsec-baseline.json \
--fail-on high
continue-on-error: false
- name: Scan git history (last 300 commits)
run: |
python src/cli.py history \
--max-commits 300 \
--format sarif \
--output reports/history-scan.sarif \
--baseline .devsec-baseline.json
continue-on-error: true # Don't fail pipeline on pre-existing history findings
- name: Upload SARIF (history scan)
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('reports/history-scan.sarif') != ''
with:
sarif_file: reports/history-scan.sarif
category: devsec-vault-history
- name: Upload scan artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: scan-reports
path: reports/
retention-days: 30
# ── 2. CodeQL Analysis ────────────────────────────────────────────────────
codeql:
name: CodeQL (Python)
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: python
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:python"
# ── 3. Dependency Audit ───────────────────────────────────────────────────
dependency-audit:
name: Dependency Audit (pip-audit)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install pip-audit
run: pip install pip-audit
- name: Create reports directory
run: mkdir -p reports
- name: Run pip-audit
run: |
pip-audit \
--requirement requirements.txt \
--format json \
--output reports/pip-audit.json \
--progress-spinner off || true
continue-on-error: true
- name: Upload audit report
uses: actions/upload-artifact@v4
if: always()
with:
name: dependency-audit
path: reports/pip-audit.json
retention-days: 30
# ── 4. Unit Tests ─────────────────────────────────────────────────────────
test:
name: Unit Tests
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: pip install click rich pytest
- name: Run tests
run: pytest tests/ -v --tb=short