Oxide

name: Security Scanning on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] schedule: # Run security scan daily at 2 AM UTC - cron: '0 2 * * *' permissions: contents: read security-events: write issues: write jobs: python-security: name: Python Security Scanning runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v2 - name: Set up Python run: uv python install 3.11 - name: Install dependencies run: uv sync --all-extras - name: Run Bandit security scan run: | uv run pip install bandit[toml] uv run bandit -r src/ -f json -o bandit-report.json continue-on-error: true - name: Upload Bandit report uses: actions/upload-artifact@v4 if: always() with: name: bandit-security-report path: bandit-report.json - name: Run Safety check for vulnerable dependencies run: | uv run pip install safety uv run safety check --json --output safety-report.json continue-on-error: true - name: Upload Safety report uses: actions/upload-artifact@v4 if: always() with: name: safety-dependency-report path: safety-report.json frontend-security: name: Frontend Security Scanning runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Install frontend dependencies run: | cd src/oxide/web/frontend npm ci - name: Run npm audit run: | cd src/oxide/web/frontend npm audit --json > npm-audit-report.json || true - name: Upload npm audit report uses: actions/upload-artifact@v4 if: always() with: name: npm-audit-report path: src/oxide/web/frontend/npm-audit-report.json - name: Check for known vulnerabilities with Snyk uses: snyk/actions/node@master continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high --file=src/oxide/web/frontend/package.json dependency-review: name: Dependency Review runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Checkout code uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: moderate warn-on-openssl: true codeql-analysis: name: CodeQL Analysis runs-on: ubuntu-latest permissions: security-events: write actions: read contents: read steps: - name: Checkout code uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: python, javascript - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3