Skip to content

python-vulnerability-scan.md

Latest commit

 

History

History
74 lines (56 loc) · 3.34 KB

python-vulnerability-scan.md

File metadata and controls

74 lines (56 loc) · 3.34 KB

python-vulnerability-scan

Reusable workflow that generates a Software Bill of Materials (SBOM) with Syft and scans it for known CVEs with Grype. Runs two scans in parallel: one against the source directory and an optional one against the built Docker image.

Replace <current-sha> with the current SHA from the root README.

Jobs

Job What it scans
code-scan Source directory — OS packages, Python packages, and application code via Syft SBOM
docker-scan Built Docker image — all layers, including base image and system packages (skippable)

Usage

Source code only (no Dockerfile)

on:
  schedule:
    - cron: "0 2 * * *"   # nightly

jobs:
  vuln-scan:
    uses: orangitfi/platform-tooling/.github/workflows/python-vulnerability-scan.yml@<current-sha>
    with:
      run-docker-scan: false

Source code + Docker image

jobs:
  vuln-scan:
    uses: orangitfi/platform-tooling/.github/workflows/python-vulnerability-scan.yml@<current-sha>
    with:
      image-name: my-backend

Stricter threshold

jobs:
  vuln-scan:
    uses: orangitfi/platform-tooling/.github/workflows/python-vulnerability-scan.yml@<current-sha>
    with:
      image-name:       my-backend
      fail-on-severity: medium

Parameters

Input Default Description
working-directory . Directory to scan for source code
fail-on-severity high Minimum Grype severity to fail on: critical, high, medium, low, negligible
run-docker-scan true Build and scan the Docker image; set false for repos without a Dockerfile
dockerfile-path Dockerfile Path to the Dockerfile relative to working-directory
image-name Docker image name (defaults to repository name if not set)
image-tag Docker image tag (defaults to commit SHA if not set)

When it has value

  • Beyond pip-audit: pip-audit checks your declared Python dependencies against CVE databases. Grype scans the entire source tree and container image, including the Python runtime, base OS packages, C extensions, and system libraries that pip-audit never sees.
  • Scheduled scanning: new CVEs are published daily. A dependency that was safe yesterday may be vulnerable today. Nightly scanning keeps your exposure window small even without code changes.
  • Docker base image hygiene: the most common source of container CVEs is an outdated base image (python:3.12-slim from 6 months ago vs today). The Docker scan job catches these independently of your Python dependencies.
  • SBOM for compliance: the Syft SBOM is a machine-readable inventory accepted by auditors and security tools.

Tips

  • Run this workflow on a schedule rather than on every push — vulnerability databases update independently of your code.
  • The --only-fixed flag in Grype means only CVEs with an available fix contribute to the failure threshold. This avoids blocking on unfixable CVEs in base images.
  • If the Docker scan fails because of an outdated base image, update FROM in your Dockerfile to a newer patch release (e.g. python:3.12.3-slimpython:3.12.10-slim).
  • Set fail-on-severity: critical for a more permissive starting threshold and tighten to high once the backlog of known vulnerabilities is cleared.