Skip to content

Commit

Permalink
ci: add security scans
Browse files Browse the repository at this point in the history
  • Loading branch information
lengau committed Sep 23, 2024
1 parent b6fbbe9 commit 242cff2
Show file tree
Hide file tree
Showing 10 changed files with 109 additions and 8 deletions.
43 changes: 43 additions & 0 deletions .github/workflows/deps-security-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Dependencies security scan
on:
pull_request:
paths:
- "requiremests*.txt"
- ".github/workflows/deps-security-scan.yaml"
- "*.lock"
- "pyproject.toml"

jobs:
security-scans:
runs-on: [self-hosted, noble]
steps:
- name: Install tools
run: |
sudo snap install --no-wait osv-scanner trivy > ${{ runner.temp }}/snap.watch
sudo snap install --no-wait --classic astral-uv >> ${{ runner.temp }}/snap.watch
sudo apt-get update
sudo apt-get --yes install python3-venv python3-build python-apt-dev
xargs --arg-file=${{ runner.temp }}/snap.watch -n 1 snap watch
- uses: actions/checkout@v4
- name: Prepare venv
run: |
pyproject-build
- name: Scan requirements with osv-scanner
if: ${{ !cancelled() }}
run: |
ls -1 requirements*.txt | xargs -I{} osv-scanner --config=.osv-config.toml --lockfile=requirements.txt:{}
- name: Scan source directory with osv-scanner
if: ${{ !cancelled() }}
run: osv-scanner --config=.osv-config.toml --recursive .
- name: Scan requirements with trivy
if: ${{ !cancelled() }}
run: ls -1 requirements*.txt | xargs -n 1 trivy filesystem--ignorefile .trivyignore.yaml
- name: Scan installed venv with trivy
if: ${{ !cancelled() }}
run: |
uv venv
uv pip install -r requirements-dev.txt -r requirements-noble.txt -e .[dev]
trivy filesystem --ignorefile .trivyignore.yaml .venv
- name: Scan distributable files with trivy
if: ${{ !cancelled() }}
run: ls -1 dist/* | xargs -n 1 trivy filesystem --ignorefile .trivyignore.yaml
50 changes: 50 additions & 0 deletions .github/workflows/security-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# # NOTE: This job is currently commented out, as the self-hosted runners don't have
# # access to the internal security scanning API.
#
# name: Security Scan
# on:
# schedule:
# - cron: "0 0 13 * *" # Midnight UTC on the 13th of the month
# workflow_dispatch: # Allow manual run too.
# push:
# branches:
# - work/secscan # Allow checks to happen on this branch for workflow development
#
# concurrency: # No concurrency for this workflow. We don't need to overload the server.
# group: ${{ github.workflow }}
# cancel-in-progress: true
#
# jobs:
# standalone-secscan:
# runs-on: [self-hosted, X64] # The client is currently only published for amd64
# strategy:
# max-parallel: 1 # We'll be queueing anyway, so only run one job at a time.
# matrix:
# scanner:
# - blackduck
# - osv
# - trivy
# channel:
# - latest
# - 3.x
# - 2.x
# steps:
# - name: Begin snap install
# id: snap-install
# run: |
# echo -n "secscan_snap=" >> "$GITHUB_OUTPUT"
# sudo snap install --no-wait canonical-secscan-client >> "$GITHUB_OUTPUT"
# - name: Download snaps
# run: |
# for arch in amd64 arm64 s390x ppc64el riscv64; do
# for risk in stable candidate beta edge; do
# UBUNTU_STORE_ARCH=${arch} snap download --channel=${{ matrix.channel }}/${risk} charmcraft
# done
# done
# - name: Wait for snap
# run: |
# snap watch ${{ steps.snap-install.outputs.secscan_snap }}
# sudo snap connect canonical-secscan-client:home system:home
# - name: Scan channel ${{ matrix.channel }} with ${{ matrix.scanner }}
# run: |
# ls -1 *.snap | xargs -I {} secscan-client submit --scanner ${{ matrix.scanner }} --type package --format snap --wait-and-print {}
4 changes: 4 additions & 0 deletions .osv-config.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[[IgnoredVulns]]
id = "CVE-2024-35195"
ignoreUntil = "2025-01-01T00:00:00Z"
reason = "Needed for requests-unixsocket, which we're replacing with requests-unixsocket2"
4 changes: 4 additions & 0 deletions .trivyignore.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
vulnerabilities:
- id: CVE-2024-35195
expired_at: "2025-01-01T00:00:00Z"
statement: Needed for requests-unixsocket, which we're replacing with requests-unixsocket2
2 changes: 1 addition & 1 deletion requirements-dev.txt
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ craft-archives==2.0.0
craft-cli==2.7.0
craft-grammar==2.0.0
craft-parts==2.1.1
craft-platforms==0.1.1
craft-platforms==0.3.0
craft-providers==2.0.1
craft-store==3.0.0
cryptography==43.0.1
Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ craft-archives==2.0.0
craft-cli==2.7.0
craft-grammar==2.0.0
craft-parts==2.1.1
craft-platforms==0.1.1
craft-platforms==0.3.0
craft-providers==2.0.1
craft-store==3.0.0
cryptography==43.0.1
Expand Down
Original file line number Diff line number Diff line change
@@ -1 +1 @@
ops==2.5.1
ops==2.8.0
Original file line number Diff line number Diff line change
@@ -1 +1 @@
ops==2.5.1
ops==2.8.0
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
ops==2.5.1
ops==2.8.0
pyyaml==6.0.1
websocket-client==1.8.0
6 changes: 3 additions & 3 deletions tests/spread/dependencies/strict-dependencies/task.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@ execute: |
charmcraft pack --verbose
test -f charm*.charm
# This should be exactly version 2.5.1. Newer versions have been released,
# but are not valid. Non-strict dependencies would install ops 2.7.0 or newer.
unzip -p charm_*.charm venv/ops/version.py | MATCH "version = '2.5.1'"
# This should be exactly version 2.8.0. Newer versions have been released,
# but are not valid. Non-strict dependencies would install ops 2.10 or newer.
unzip -p charm_*.charm venv/ops/version.py | MATCH "version = '2.8.0'"

0 comments on commit 242cff2

Please sign in to comment.