name: Security Scan
on:
schedule:
- cron: '0 2 * * 1' # Weekly on Monday at 2 AM
push:
branches: [master, develop]
pull_request:
branches: [master, develop]
jobs:
security-scan:
name: Security Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install security tools
run: |
python -m pip install --upgrade pip
pip install bandit semgrep
- name: Run Bandit security scan
run: |
bandit -r . -f json -o bandit-report.json --exit-zero
bandit -r . -f txt -o bandit-report.txt --exit-zero
- name: Run Semgrep SAST scan
run: |
semgrep --config=auto --json --output=semgrep-report.json .
semgrep --config=auto --output=semgrep-report.txt .
- name: Check for secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
extra_args: --debug --only-verified
- name: Upload security reports
uses: actions/upload-artifact@v4
with:
name: security-reports-${{ github.run_number }}
path: |
bandit-report.json
bandit-report.txt
semgrep-report.json
semgrep-report.txt
- name: Comment PR with security results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
// Read security reports (Bandit)
let banditResults = '';
try {
const banditData = JSON.parse(fs.readFileSync('bandit-report.json', 'utf8'));
banditResults = `**Bandit Security Scan Results:**\n`;
banditResults += `- High: ${banditData.results.filter(r => r.issue_severity === 'HIGH').length}\n`;
banditResults += `- Medium: ${banditData.results.filter(r => r.issue_severity === 'MEDIUM').length}\n`;
banditResults += `- Low: ${banditData.results.filter(r => r.issue_severity === 'LOW').length}\n`;
} catch (error) {
console.log('Error reading Bandit report:', error);
}
const comment = `## 🔒 Security Scan Results\n\n${banditResults}\n📊 Detailed reports are available in the workflow artifacts.`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
dependency-check:
name: Dependency Security Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Check for outdated packages
run: |
pip list --outdated --format=json > outdated-packages.json
- name: Check for known vulnerabilities
run: |
echo "Skipping Safety vulnerability check as requested"
- name: Upload dependency reports
uses: actions/upload-artifact@v4
with:
name: dependency-reports-${{ github.run_number }}
path: |
outdated-packages.json
docker-security:
name: Docker Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image
run: |
docker build -t zap-custom-mcp:security-test .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'zap-custom-mcp:security-test'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload SARIF results as artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: trivy-sarif-results
path: trivy-results.sarif
retention-days: 30
