evanharmon1 is running Security Actions #27
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Test | |
| run-name: ${{ github.actor }} is running Security Actions | |
| on: [pull_request] | |
| jobs: | |
| secrets: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "Triggered by a ${{ github.event_name }} event." | |
| - uses: actions/checkout@v4 | |
| # E.g., to check for my `~/Local/.secret` file | |
| - name: Custom check for secret files | |
| run: ./check_for_pattern.sh . "*secret*" | |
| - name: Force the installation of the required versions due to pip not being able to uninstall system packages | |
| run: | | |
| sudo pip install --ignore-installed typing_extensions==4.12.2 | |
| sudo pip install --ignore-installed PyYAML | |
| sudo pip install --ignore-installed jsonschema | |
| - name: Install Whispers | |
| run: sudo pip install whispers | |
| # Use whispers to check repo for unecrypted secrets, passwords, etc. | |
| - name: Run whispers | |
| run: whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . > /tmp/scan_output.json | |
| # Upload Artifacts | |
| - name: Upload the scan output | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: scan_results | |
| path: /tmp/scan_output.json | |
| retention-days: 7 | |
| sast-dependencies: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Node.js dependencies scan | |
| # Disabled since harmon-stack does not build a package.json file | |
| # - name: Setup Node.js | |
| # uses: actions/setup-node@v4 | |
| # with: | |
| # node-version: "22" | |
| # cache: "npm" | |
| # - name: Install Node dependencies | |
| # run: npm ci | |
| # - name: Run Snyk for Node.js | |
| # uses: snyk/actions/node@master | |
| # env: | |
| # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| # with: | |
| # command: test | |
| # args: > | |
| # --severity-threshold=high | |
| # --show-vulnerable-paths=all | |
| # Python dependencies scan | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.9" | |
| - name: Install Python dependencies | |
| run: pip install -r requirements.txt | |
| - name: Run Snyk for Python | |
| uses: snyk/actions/python@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: test | |
| args: > | |
| --file=requirements.txt | |
| --severity-threshold=high | |
| --show-vulnerable-paths=all | |
| # Disabled since harmon-stack doesn not build a package.json file | |
| # sast-code: | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - uses: actions/checkout@v4 | |
| # - name: Setup Node.js | |
| # uses: actions/setup-node@v4 | |
| # with: | |
| # node-version: "22" | |
| # cache: "npm" | |
| # - name: Install dependencies | |
| # run: npm ci | |
| # - name: Run Snyk to check for vulnerabilities | |
| # uses: snyk/actions/node@master | |
| # env: | |
| # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| # with: | |
| # command: code test | |
| # args: > | |
| # --severity-threshold=high | |
| # --json-file-output=snyk-code-test.json |