Merge pull request #16 from samet-akcay/feature/workflow

Workflow
samet-akcay · Nov 6, 2024 · 6c8127d · 6c8127d
2 parents bcc0b43 + c636783
commit 6c8127d
Show file tree

Hide file tree

Showing 17 changed files with 527 additions and 196 deletions.
diff --git a/.github/actions/linting/pre-commit/action.yaml b/.github/actions/linting/pre-commit/action.yaml
@@ -0,0 +1,14 @@
+name: "Pre-commit Checks"
+description: "Runs all pre-commit hooks"
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-python@v4
+      with:
+        python-version: "3.11"
+
+    - run: |
+        python -m pip install --upgrade pip
+        pip install pre-commit
+        pre-commit run --all-files
+      shell: bash
diff --git a/.github/actions/linting/ruff/action.yaml b/.github/actions/linting/ruff/action.yaml
@@ -0,0 +1,14 @@
+name: "Ruff Linter"
+description: "Runs Ruff linting"
+inputs:
+  files:
+    description: "Files to check"
+    required: false
+    default: "."
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        pip install ruff
+        ruff check ${{ inputs.files }}
+      shell: bash
diff --git a/.github/actions/linting/specific-hooks.yaml b/.github/actions/linting/specific-hooks.yaml
@@ -0,0 +1,39 @@
+name: Selected Pre-commit Hooks
+on:
+  workflow_call:
+    inputs:
+      hook_id:
+        required: true
+        type: string
+        description: "Specific pre-commit hook ID to run"
+      files:
+        required: false
+        type: string
+        description: "Files to run the hook against"
+        default: "."
+
+jobs:
+  run-hook:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+          cache: "pip"
+
+      - name: Install pre-commit
+        run: |
+          python -m pip install pre-commit
+          pre-commit install-hooks
+
+      - name: Load pre-commit cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Run specific hook
+        run: |
+          pre-commit run --show-diff-on-failure --color=always \
+            --files ${{ inputs.files }} ${{ inputs.hook_id }}
diff --git a/.github/actions/security/bandit/action.yaml b/.github/actions/security/bandit/action.yaml
@@ -0,0 +1,92 @@
+name: "Bandit Security Scan"
+description: "Runs Bandit security scanner with configurable options"
+
+inputs:
+  scan_scope:
+    description: "Scope of files to scan (all/changed)"
+    required: false
+    default: "changed"
+  paths:
+    description: "Paths to scan when using all scope"
+    required: false
+    default: "./src"
+  config_file:
+    description: "Path to pyproject.toml or custom bandit config"
+    required: false
+    default: "pyproject.toml"
+  severity_level:
+    description: "Minimum severity level to report"
+    required: false
+    default: "LOW"
+  confidence_level:
+    description: "Minimum confidence level to report"
+    required: false
+    default: "LOW"
+  output_format:
+    description: "Format for scan results (json/txt/html/csv)"
+    required: false
+    default: "json"
+  fail_on_findings:
+    description: "Whether to fail the action if issues are found"
+    required: false
+    default: "true"
+
+outputs:
+  scan_result:
+    description: "Exit code of the Bandit scan"
+    value: ${{ steps.run-bandit.outputs.exit_code }}
+  report_path:
+    description: "Path to the generated report file"
+    value: ${{ steps.run-bandit.outputs.report_path }}
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v3
+      with:
+        python-version: "3.10"
+
+    - name: Install Bandit
+      shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        pip install bandit
+
+    - name: Get changed files
+      if: inputs.scan_scope == 'changed'
+      id: changed-files
+      uses: tj-actions/changed-files@v41
+      with:
+        files: |
+          **/*.py
+          **/*.pyx
+          **/*.pyi
+
+    - name: Run Bandit scan
+      id: run-bandit
+      shell: bash
+      run: |
+        REPORT_FILE="bandit-report.${{ inputs.output_format }}"
+
+        if [[ "${{ inputs.scan_scope }}" == "changed" && -n "${{ steps.changed-files.outputs.all_changed_files }}" ]]; then
+          echo "Running Bandit on changed files"
+          FILES="${{ steps.changed-files.outputs.all_changed_files }}"
+        else
+          echo "Running Bandit on all files in ${{ inputs.paths }}"
+          FILES="${{ inputs.paths }}"
+        fi
+
+        bandit \
+          -c ${{ inputs.config_file }} \
+          -l ${{ inputs.severity_level }} \
+          -i ${{ inputs.confidence_level }} \
+          -f ${{ inputs.output_format }} \
+          -o "${REPORT_FILE}" \
+          -r ${FILES} || echo "exit_code=$?" >> $GITHUB_OUTPUT
+
+        echo "report_path=${REPORT_FILE}" >> $GITHUB_OUTPUT
+
+        if [[ "${{ inputs.fail_on_findings }}" == "true" && -n "$exit_code" && "$exit_code" != "0" ]]; then
+          exit $exit_code
+        fi
diff --git a/.github/actions/security/clamav/action.yaml b/.github/actions/security/clamav/action.yaml
@@ -0,0 +1,15 @@
+name: "ClamAV Virus Scan"
+description: "Runs ClamAV virus scanning"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install ClamAV
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install clamav clamav-daemon
+        sudo freshclam
+    - name: Run ClamAV scan
+      shell: bash
+      run: clamscan --recursive --infected .
diff --git a/.github/actions/security/trivy/action.yaml b/.github/actions/security/trivy/action.yaml
@@ -0,0 +1,26 @@
+name: "Trivy Security Scan"
+description: "Runs Trivy security scanner"
+
+inputs:
+  severity:
+    description: "Severity levels to scan for"
+    required: false
+    default: "CRITICAL,HIGH"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: "fs"
+        scan-ref: "."
+        format: "sarif"
+        output: "trivy-results.sarif"
+        severity: ${{ inputs.severity }}
+
+    - name: Upload Trivy scan results
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: "trivy-results.sarif"
diff --git a/.github/actions/static-analysis/semgrep.yaml b/.github/actions/static-analysis/semgrep.yaml
@@ -0,0 +1,115 @@
+name: Semgrep Analysis
+
+on:
+  workflow_call:
+    inputs:
+      scan-type:
+        description: "Type of scan: quick (PR) or thorough (release)"
+        required: true
+        type: string
+        default: "quick"
+      rules:
+        description: "Semgrep rulesets to use"
+        required: false
+        type: string
+        default: "p/default"
+      severity:
+        description: "Minimum severity level (ERROR, WARNING, INFO)"
+        required: false
+        type: string
+        default: "WARNING"
+      upload-artifact:
+        description: "Whether to upload results as artifact"
+        required: false
+        type: boolean
+        default: true
+    secrets:
+      semgrep-token:
+        description: "Semgrep App token"
+        required: false
+
+jobs:
+  semgrep-scan:
+    name: Semgrep Analysis
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required for git-changes mode
+
+      - name: Configure scan settings
+        id: config
+        run: |
+          # Set scan configuration based on type
+          if [ "${{ inputs.scan-type }}" = "thorough" ]; then
+            echo "Running thorough scan for release..."
+            echo "scan_args=" >> $GITHUB_OUTPUT
+            echo "rules=${{ inputs.rules }},p/security-audit,p/secrets,p/supply-chain" >> $GITHUB_OUTPUT
+          else
+            echo "Running quick scan for PR..."
+            echo "scan_args=--git-changes HEAD~1" >> $GITHUB_OUTPUT
+            echo "rules=${{ inputs.rules }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run Semgrep scan
+        id: semgrep
+        run: |
+          # Set severity level
+          export SEMGREP_SEVERITY=${{ inputs.severity }}
+
+          # Run scan with configured settings
+          semgrep ci \
+            ${{ steps.config.outputs.scan_args }} \
+            --sarif > semgrep.sarif \
+            --json > semgrep-results.json \
+            --output report.txt
+
+          # Generate markdown summary
+          {
+            echo "### Semgrep Analysis Results"
+            echo "Scan type: ${{ inputs.scan-type }}"
+            echo "Rules: ${{ steps.config.outputs.rules }}"
+            echo "Severity: ${{ inputs.severity }}"
+            echo ""
+            echo "\`\`\`"
+            cat report.txt
+            echo "\`\`\`"
+          } > summary.md
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.semgrep-token }}
+          SEMGREP_RULES: ${{ steps.config.outputs.rules }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif
+          wait-for-processing: true
+
+      - name: Upload scan results
+        if: inputs.upload-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: semgrep-${{ inputs.scan-type }}-results
+          path: |
+            semgrep.sarif
+            semgrep-results.json
+            report.txt
+            summary.md
+          retention-days: 90
+
+      - name: Add PR comment
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const summary = fs.readFileSync('summary.md', 'utf8');
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: summary
+            });
diff --git a/.github/actions/static-analysis/semgrep/action.yaml b/.github/actions/static-analysis/semgrep/action.yaml
@@ -0,0 +1,19 @@
+name: "Semgrep Security Scan"
+description: "Runs Semgrep security analysis"
+
+inputs:
+  publish_token:
+    description: "Semgrep publish token"
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - uses: returntocorp/semgrep-action@v1
+      with:
+        publishToken: ${{ inputs.publish_token }}
+        config: >-
+          p/default
+          p/security-audit
+          p/owasp-top-ten
diff --git a/.github/workflows/bandit.yaml b/.github/workflows/bandit.yaml
@@ -0,0 +1,12 @@
+name: Test Workflow
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - feature/*
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: echo "Hello World"