-
Notifications
You must be signed in to change notification settings - Fork 0
149 lines (144 loc) · 6.6 KB
/
python-daily.yml
File metadata and controls
149 lines (144 loc) · 6.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# Python / uv Daily Security
#
# Reusable workflow for a daily security status run against a Python / uv project.
# Combines the full CI pipeline with an OWASP ZAP DAST scan in parallel:
#
# ci — full python-ci pipeline (security + lint + test + vuln scan)
# dast — OWASP ZAP scan against the live staging/production URL
#
# Both jobs run in parallel. CI checks the current code and dependencies;
# ZAP checks the running application. They are independent — a build failure
# does not prevent the DAST scan from running, and vice versa.
#
# If target-url is not provided the dast job is skipped cleanly.
#
# The consuming repo controls WHEN this runs (typically a nightly schedule).
# This workflow controls HOW.
#
# Usage in a consuming repository:
#
# on:
# schedule:
# - cron: "0 3 * * *" # 03:00 UTC every night
# workflow_dispatch: # allow manual trigger
#
# jobs:
# daily:
# uses: orangitfi/platform-tooling/.github/workflows/python-daily.yml@<sha>
# with:
# image-name: my-api
# target-url: https://staging.myapi.com
#
# See python-daily.md for full documentation and all parameter options.
#
# ─── SHA pinning ─────────────────────────────────────────────────────────────
# After committing this file, replace a4ca46b0de8eda2f61573cfbd4164e538a7775a1 with the new commit SHA.
# ─────────────────────────────────────────────────────────────────────────────
name: Daily Security
on:
workflow_call:
inputs:
# ── CI inputs ────────────────────────────────────────────────────────
working-directory:
description: "Directory containing pyproject.toml and uv.lock"
required: false
default: "."
type: string
test-command:
description: "Command to run tests via uv run (e.g. pytest, pytest tests/ -v)"
required: false
default: "pytest"
type: string
uv-sync-args:
description: "Extra arguments passed to uv sync (e.g. --extra test)"
required: false
default: ""
type: string
run-ruff-lint:
description: "Run ruff check in the lint job"
required: false
default: true
type: boolean
run-ruff-format:
description: "Run ruff format --check in the lint job"
required: false
default: true
type: boolean
dockerfile-path:
description: "Path to the Dockerfile relative to the repo root"
required: false
default: "Dockerfile"
type: string
run-docker-build:
description: "Validate the Dockerfile builds as an early quality gate"
required: false
default: false
type: boolean
image-name:
description: "Docker image name for docker-build and vulnerability scan"
required: false
default: ""
type: string
run-docker-scan:
description: "Build and scan the Docker image in the vulnerability scan"
required: false
default: true
type: boolean
fail-on-severity:
description: "Minimum Grype severity for the vulnerability scan"
required: false
default: "high"
type: string
# ── DAST inputs ──────────────────────────────────────────────────────
target-url:
description: "URL of the running application to scan with ZAP. Leave empty to skip DAST."
required: false
default: ""
type: string
scan-type:
description: "ZAP scan type: baseline (passive, ~2 min) | full (active, 10-30 min) | api"
required: false
default: "baseline"
type: string
openapi-spec:
description: "OpenAPI spec URL or path — used only when scan-type is api. Defaults to {target-url}/openapi.json."
required: false
default: ""
type: string
dast-fail-on-findings:
description: "Fail the DAST job if ZAP reports any alerts"
required: false
default: true
type: boolean
permissions:
contents: read
jobs:
# ───────────────────────────────────────────────────────────────────────────
# Full CI pipeline — static security, lint, test, vulnerability scan
# ───────────────────────────────────────────────────────────────────────────
ci:
name: CI
uses: orangitfi/platform-tooling/.github/workflows/python-ci.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
test-command: ${{ inputs.test-command }}
uv-sync-args: ${{ inputs.uv-sync-args }}
run-ruff-lint: ${{ inputs.run-ruff-lint }}
run-ruff-format: ${{ inputs.run-ruff-format }}
dockerfile-path: ${{ inputs.dockerfile-path }}
run-docker-build: ${{ inputs.run-docker-build }}
image-name: ${{ inputs.image-name }}
run-docker-scan: ${{ inputs.run-docker-scan }}
fail-on-severity: ${{ inputs.fail-on-severity }}
# ───────────────────────────────────────────────────────────────────────────
# DAST — dynamic scan against the live URL (skipped if target-url is empty)
# ───────────────────────────────────────────────────────────────────────────
dast:
name: DAST (OWASP ZAP)
uses: orangitfi/platform-tooling/.github/workflows/dast-scan.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
target-url: ${{ inputs.target-url }}
scan-type: ${{ inputs.scan-type }}
openapi-spec: ${{ inputs.openapi-spec }}
fail-on-findings: ${{ inputs.dast-fail-on-findings }}
artifact-name: zap-daily-report