anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add bandit, pip-audit and trivy to CI/CD security pipeline
Some checks failed
CI / Lint (ruff) (push) Failing after 10s
Details
CI / Test (pytest) (3.11) (push) Failing after 39s
Details
CI / Test (pytest) (3.12) (push) Failing after 1m4s
Details
Security / SAST (bandit) (push) Successful in 11s
Details
Security / Dependency audit (pip-audit) (push) Successful in 18s
Details

Browse Source
This commit is contained in:
anti
2026-04-04 17:24:43 -03:00
parent b3b3597011
commit fe7354554f
3 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.gitea/workflows/release.yml
View File

@@ -42,7 +42,7 @@ jobs:
fi fi
docker: docker:
name: Build & push ${{ matrix.service }} name: Build, scan & push ${{ matrix.service }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: tag needs: tag
strategy: strategy:
@@ -76,6 +76,9 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Gitea container registry - name: Log in to Gitea container registry
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
@@ -83,7 +86,26 @@ jobs:
username: ${{ secrets.REGISTRY_USER }} username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }} password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push - name: Build image locally
uses: docker/build-push-action@v5
with:
context: templates/${{ matrix.service }}
load: true
push: false
tags: decnet-${{ matrix.service }}:scan
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: decnet-${{ matrix.service }}:scan
exit-code: "1"
severity: CRITICAL
ignore-unfixed: true
- name: Push image
if: success()
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
context: templates/${{ matrix.service }} context: templates/${{ matrix.service }}
@@ -91,3 +113,4 @@ jobs:
tags: | tags: |
${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:latest ${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:latest
${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:v${{ needs.tag.outputs.version }} ${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:v${{ needs.tag.outputs.version }}
cache-from: type=gha

29
.gitea/workflows/security.yml Normal file
View File

@@ -0,0 +1,29 @@
name: Security
on:
push:
branches: [dev, testing]
jobs:
bandit:
name: SAST (bandit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- run: pip install bandit
- run: bandit -r decnet/ -ll -x decnet/services/registry.py
pip-audit:
name: Dependency audit (pip-audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- run: pip install pip-audit
- run: pip install -e .
- run: pip-audit

2
pyproject.toml
View File

@@ -15,6 +15,8 @@ dependencies = [
"jinja2>=3.1", "jinja2>=3.1",
"pytest>=8.0", "pytest>=8.0",
"ruff>=0.4", "ruff>=0.4",
"bandit>=1.7",
"pip-audit>=2.0",
] ]
[project.scripts] [project.scripts]