Add poetry-plugin-export for Snyk requirements generation #63
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🛡️ Bastion Quality Gates | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| permissions: | |
| pull-requests: read | |
| security-events: write | |
| jobs: | |
| Analyze: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| tool: [bandit, ruff, mypy, flake8, pylint, codeql, snyk] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 | |
| - name: Set up Python | |
| if: matrix.tool != 'codeql' # Snyk needs Python setup | |
| uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 | |
| with: | |
| python-version: '3.13' | |
| - name: Cache pip dependencies | |
| if: matrix.tool != 'codeql' | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: | | |
| /usr/local/lib/python3.13/site-packages | |
| ~/.cache/pypoetry | |
| key: pip-poetry-${{ hashFiles('pyproject.toml') }} | |
| restore-keys: | | |
| pip-poetry- | |
| - name: Install Poetry | |
| if: matrix.tool != 'codeql' | |
| run: | | |
| pip install poetry | |
| poetry --version | |
| - name: Install project dependencies | |
| if: matrix.tool != 'codeql' | |
| run: | | |
| poetry install --with dev --no-interaction | |
| - name: Install analysis tools | |
| if: matrix.tool != 'codeql' && matrix.tool != 'snyk' | |
| run: | | |
| poetry run pip install bandit ruff mypy flake8 pylint | |
| poetry run bandit --version | |
| poetry run ruff --version | |
| poetry run mypy --version | |
| poetry run flake8 --version | |
| poetry run pylint --version | |
| - name: Setup Snyk CLI | |
| if: matrix.tool == 'snyk' | |
| uses: snyk/actions/setup@cdb760004ba9ea4d525f2e043745dfe85bb9077e | |
| with: | |
| snyk-version: latest | |
| - name: Run Snyk Security Scan | |
| if: matrix.tool == 'snyk' | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_SECRET_TOKEN }} | |
| DEBUG: snyk* | |
| run: | | |
| pip install poetry | |
| pip install poetry-plugin-export | |
| poetry export --format requirements.txt --output requirements.txt | |
| snyk test --file=requirements.txt --sarif-file-output=snyk_report.sarif | |
| - name: Run Bandit | |
| if: matrix.tool == 'bandit' | |
| run: poetry run bandit -r . -o bandit_report.json --format json --exclude tests,.git || true | |
| - name: Run Ruff | |
| if: matrix.tool == 'ruff' | |
| run: poetry run ruff check . --output-format json --output-file ruff_report.json --exclude tests,.git || true | |
| - name: Run Mypy | |
| if: matrix.tool == 'mypy' | |
| run: poetry run mypy . 2>&1 | tee mypy_report.txt || true | |
| - name: Run Flake8 | |
| if: matrix.tool == 'flake8' | |
| run: poetry run flake8 . --output-file flake8_report.txt --format=pylint || true | |
| - name: Run Pylint | |
| if: matrix.tool == 'pylint' | |
| run: poetry run pylint --recursive=y . --output-format=json > pylint_report.json || true | |
| - name: Initialize CodeQL | |
| if: matrix.tool == 'codeql' | |
| uses: github/codeql-action/init@main | |
| with: | |
| languages: python | |
| - name: Perform CodeQL Analysis | |
| if: matrix.tool == 'codeql' | |
| uses: github/codeql-action/analyze@main | |
| with: | |
| output: codeql_report.sarif | |
| - name: Upload report artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: ${{ matrix.tool }}-report | |
| path: ${{ matrix.tool }}_report.* | |
| SonarQube: | |
| needs: Analyze | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download analysis reports | |
| uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e | |
| with: | |
| path: reports | |
| - name: Move reports to working directory | |
| run: | | |
| mv reports/bandit-report/bandit_report.json . | |
| mv reports/ruff-report/ruff_report.json . | |
| mv reports/mypy-report/mypy_report.txt . | |
| mv reports/flake8-report/flake8_report.txt . | |
| mv reports/pylint-report/pylint_report.json . | |
| mv reports/codeql-report/codeql_report.sarif . | |
| mv reports/snyk-report/snyk_report.sarif . | |
| - name: Check if reports exist | |
| run: | | |
| for report in bandit_report.json ruff_report.json mypy_report.txt flake8_report.txt pylint_report.json codeql_report.sarif snyk_report.sarif; do | |
| if [ ! -f "$report" ]; then | |
| echo "$report not found. Exiting." | |
| exit 1 | |
| fi | |
| done | |
| - name: Analyze with SonarQube | |
| uses: SonarSource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
| with: | |
| args: > | |
| -Dsonar.projectKey=DavidOsipov_PostQuantum-Feldman-VSS | |
| -Dsonar.organization=davidosipov | |
| -Dsonar.python.bandit.reportPaths=bandit_report.json | |
| -Dsonar.python.ruff.reportPaths=ruff_report.json | |
| -Dsonar.python.mypy.reportPaths=mypy_report.txt | |
| -Dsonar.python.flake8.reportPaths=flake8_report.txt | |
| -Dsonar.python.pylint.reportPaths=pylint_report.json | |
| -Dsonar.sarifReportPaths=codeql_report.sarif,snyk_report.sarif | |
| -Dsonar.python.version=3.10-3.13 | |
| -Dsonar.languages=python |