basic-open-agent-tools/.github/workflows/security.yml at main · Open-Agent-Tools/basic-open-agent-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Security Scanning

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    # Run weekly on Sundays at 2 AM UTC
    - cron: '0 2 * * 0'

jobs:
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'python' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        queries: security-extended,security-and-quality

    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        python -m pip install -e ".[dev]"

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"

  dependency-scan:
    name: Dependency Vulnerability Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        python -m pip install -e ".[dev]"
        python -m pip install safety bandit[toml]

    - name: Run Safety check
      run: |
        safety check --json --output safety-report.json || true
        if [ -f safety-report.json ]; then
          echo "Safety vulnerabilities found - see report"
          cat safety-report.json
        fi

    - name: Run Bandit security linter
      run: |
        bandit -r src/ -f json -o bandit-report.json || true
        if [ -f bandit-report.json ]; then
          echo "Bandit security issues found - see report"
          cat bandit-report.json
        fi

    - name: Upload Security Reports
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: security-reports
        path: |
          safety-report.json
          bandit-report.json
        retention-days: 30

  license-check:
    name: License Compliance Check
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        python -m pip install -e ".[dev]"
        python -m pip install pip-licenses

    - name: Check licenses
      run: |
        pip-licenses --format=json --output-file=licenses.json
        pip-licenses --format=plain
        echo "License report saved to licenses.json"

    - name: Upload License Report
      uses: actions/upload-artifact@v4
      with:
        name: license-report
        path: licenses.json
        retention-days: 30