Skip to content

Code Scanning

Code Scanning #186

Workflow file for this run

name: Code Scanning
on:
workflow_dispatch: # run on request (no need for PR)
push:
branches:
- "develop"
- "releases/*"
schedule:
# every UTC 6PM from Mon to Fri
- cron: "0 18 * * 1-5"
# Declare default permissions as read only.
permissions: read-all
jobs:
Trivy-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: "3.10"
- name: Install dependencies
run: python -m pip install --require-hashes --no-deps -r .ci/piptools-deps.txt
- name: Freeze dependencies
run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml
- name: Trivy Scanning
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
with:
trivy-config: ".ci/trivy.yaml"
scan-type: "fs"
scan-ref: .
scanners: vuln,secret
- name: Upload Trivy results artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: trivy-results
path: "${{ github.workspace }}/trivy-results.csv"
Bandit:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: "3.10"
- name: Install dependencies
run: python -m pip install --require-hashes --no-deps -r .ci/tox-deps.txt
- name: Bandit Scanning
run: tox -e bandit-scan
- name: Upload Bandit artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: bandit-report
path: .tox/bandit-report.txt
# Use always() to always run this step to publish scan results when there are test failures
if: ${{ always() }}