From 4e2a8507dea4910e8fba7362ef77e496bcd1ce26 Mon Sep 17 00:00:00 2001 From: Alex Lowe Date: Wed, 25 Sep 2024 16:35:42 -0400 Subject: [PATCH 1/2] ci: add security scan workflow --- .github/workflows/security-scan.yaml | 20 ++++++++++++++++++++ osv-scanner.toml | 4 ++++ 2 files changed, 24 insertions(+) create mode 100644 .github/workflows/security-scan.yaml create mode 100644 osv-scanner.toml diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml new file mode 100644 index 000000000..b83d7e0c6 --- /dev/null +++ b/.github/workflows/security-scan.yaml @@ -0,0 +1,20 @@ +name: Security scan +on: + pull_request: + push: + branches: + - main + - hotfix/* + - work/secscan # For development + +jobs: + python-scans: + name: Scan Python project + uses: lengau/starflow/.github/workflows/scan-python.yaml@work/secscan + with: + packages: python-apt-dev + # 1. requirements-noble.txt can't build on jammy + # 2. Ignore requirements files in spread tests, as some of these intentionally + # contain vulnerable versions. + requirements-find-args: '! -name requirements-noble.txt ! -path "./tests/spread/*"' + osv-extra-args: '--config=source/osv-scanner.toml' diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 000000000..17da2fac1 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,4 @@ +[[IgnoredVulns]] +id = "CVE-2024-35195" +ignoreUntil = "2025-01-01T00:00:00Z" +reason = "Needed for requests-unixsocket, which we're replacing with requests-unixsocket2" From 6ca7ba2d8eca4c50c95f1b3ab53f29494c44b85d Mon Sep 17 00:00:00 2001 From: Alex Lowe Date: Fri, 27 Sep 2024 09:48:21 -0400 Subject: [PATCH 2/2] chore: update for merge --- .github/workflows/security-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index b83d7e0c6..d0254ca2d 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -10,7 +10,7 @@ on: jobs: python-scans: name: Scan Python project - uses: lengau/starflow/.github/workflows/scan-python.yaml@work/secscan + uses: canonical/starflow/.github/workflows/scan-python.yaml@main with: packages: python-apt-dev # 1. requirements-noble.txt can't build on jammy