Security #41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| schedule: | |
| - cron: '0 2 * * 1' # Weekly on Monday at 2am UTC | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Install dependencies | |
| run: uv sync --dev | |
| - name: Run security audit | |
| run: | | |
| uv add --dev safety | |
| uv run safety check | |
| - name: Run Bandit security linter | |
| run: | | |
| uv add --dev bandit | |
| uv run bandit -r src/ -f json -o bandit-report.json || true | |
| uv run bandit -r src/ | |
| - name: Upload Bandit results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: bandit-results | |
| path: bandit-report.json |