diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..48676ba --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,53 @@ +name: Security Scanning + +on: + pull_request: + branches: [main, dev] + push: + branches: [main, dev] + schedule: + - cron: "0 0 * * 0" # Weekly on Sundays at midnight UTC + +jobs: + dependency-scan: + name: Dependency Vulnerability Scan + permissions: + contents: read + security-events: write + actions: read + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 + with: + scan-args: |- + --lockfile=requirements.txt:./uv.lock + fail-on-vuln: false # Don't fail the build, just report findings + + code-scan: + name: Code Security Scan + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write # For uploading SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v3 + + - name: Set up Python + run: uv python install 3.11 + + - name: Run Bandit security scan + run: | + uv tool install bandit[sarif] + uv tool run bandit -r src/ -f sarif -o bandit.sarif + continue-on-error: true # Don't fail the build, just report findings + + - name: Upload Bandit results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() # Upload even if scan found issues + with: + sarif_file: bandit.sarif + category: code-security diff --git a/README.md b/README.md index 463e372..987fae6 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ A modern Python client library for accessing Geological Survey of Sweden (SGU) g [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![codecov](https://codecov.io/gh/officialankan/sgu-client/branch/main/graph/badge.svg)](https://codecov.io/gh/officialankan/sgu-client) [![Code style: ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) +[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit) +[![Security Scanning](https://github.com/officialankan/sgu-client/actions/workflows/security.yml/badge.svg)](https://github.com/officialankan/sgu-client/actions/workflows/security.yml) > This package is not affiliated with or endorsed by SGU.