-
Notifications
You must be signed in to change notification settings - Fork 15
94 lines (80 loc) · 2.72 KB
/
ci-security-scans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: CI - Security scans
on:
workflow_dispatch: {}
schedule:
- cron: "0 0 * * *"
pull_request:
paths:
- ".github/workflows/ci-security-scans.yml"
- "scripts/**"
- "docker/**"
- "**/pyproject.toml"
- ".snyk"
branches:
- main
concurrency:
group: ragstack-security-scans-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
snyk-ragstack-dev:
name: Security Scan / RAGStack dev
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: "Setup: Python 3.11"
uses: ./.github/actions/setup-python
- name: Run Snyk scan
id: snyk
uses: ./.github/actions/snyk-python-3.11
with:
token: ${{ secrets.SNYK_TOKEN }}
- name: Move snyk vulnerabilities file
if: ${{ always() }}
run: |
# cleanup snyk scan docker resources
sudo docker volume prune -f
sudo docker system prune -f
du -sh *
python -m pip install poetry>=1.7.1
mkdir -p snyk_reports
mv snyk-vuln.json snyk_reports/snyk-vuln.json
- name: Testspace deploy report
uses: ./.github/actions/deploy-testspace-report
if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
with:
report-type: snyk
token: ${{ secrets.TESTSPACE_TOKEN }}
report-file: snyk_reports
space: "RAGStack security scans - RAGStack dev"
snyk-ragstack-latest-release:
name: Security Scan / RAGStack latest
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Prepare requirements
run: |
echo "ragstack-ai" > requirements.txt
- name: Run Snyk scan
id: snyk
uses: ./.github/actions/snyk-python-3.11
with:
token: ${{ secrets.SNYK_TOKEN }}
args: --file=requirements.txt
- name: Move snyk vulnerabilities file
if: ${{ always() }}
run: |
mkdir -p snyk_reports
mv snyk-vuln.json snyk_reports/snyk-vuln.json
- name: "Setup: Python 3.11"
if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
uses: ./.github/actions/setup-python
- name: Testspace deploy report
uses: ./.github/actions/deploy-testspace-report
if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
with:
report-type: snyk
token: ${{ secrets.TESTSPACE_TOKEN }}
report-file: snyk_reports
space: "RAGStack security scans - RAGStack latest"