platform-tooling/.github/workflows/python-security-scan.yml at main · orangitfi/platform-tooling · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Python Security Scan
#
# Reusable workflow that runs three security scans in parallel against
# Python / uv repositories:
#
#   1. gitleaks   — detects secrets committed to the repository
#   2. pip-audit  — detects known CVEs in Python dependencies (via uv lockfile)
#   3. guarddog   — detects supply-chain threats in PyPI packages
#
# uv is installed in each job that requires it. All three jobs run in
# parallel; the workflow fails if any one of them fails.
#
# Usage in a consuming repository:
#
#   jobs:
#     security:
#       uses: orangitfi/platform-tooling/.github/workflows/python-security-scan.yml@<sha>
#       with:
#         working-directory: .
#
# Consuming repo controls WHEN this runs. This workflow controls HOW.

name: Python Security Scan

on:
  workflow_call:
    inputs:
      working-directory:
        description: "Directory containing pyproject.toml and uv.lock"
        required: false
        default: "."
        type: string
      fail-on-findings:
        description: "Fail the workflow if any scan detects issues"
        required: false
        default: true
        type: boolean

permissions:
  contents: read

jobs:
  gitleaks:
    name: Secret Scan (gitleaks)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Run gitleaks scan
        uses: orangitfi/platform-tooling/.github/actions/gitleaks-scan@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
        with:
          fail-on-findings: ${{ inputs.fail-on-findings }}

  pip-audit:
    name: Vulnerability Scan (pip-audit)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install uv
        uses: orangitfi/platform-tooling/.github/actions/setup-uv@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha

      - name: Run pip-audit
        uses: orangitfi/platform-tooling/.github/actions/pip-audit@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
        with:
          working-directory: ${{ inputs.working-directory }}
          fail-on-findings: ${{ inputs.fail-on-findings }}

  guarddog:
    name: Supply Chain Scan (guarddog)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install uv
        uses: orangitfi/platform-tooling/.github/actions/setup-uv@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha

      - name: Run guarddog PyPI scan
        uses: orangitfi/platform-tooling/.github/actions/guarddog-scan@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
        with:
          working-directory: ${{ inputs.working-directory }}
          fail-on-findings: ${{ inputs.fail-on-findings }}