chore: update to lls version 0.3.5 for test purposes #130

Workflow file for this run

.github/workflows/security.yml at 154f284

	name: Security Scan

	on:
	pull_request:
	branches: [main]
	push:
	branches: [main]

	jobs:
	trivy-scan:
	name: Trivy
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	actions: read

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v4
	with:
	python-version: '3.12'

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	python -m pip install -e ".[dev]"

	- name: Run Trivy filesystem scan
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'sarif'
	output: 'trivy-fs-results.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW'
	exit-code: '0' # Don't fail on this scan, we'll check results separately

	- name: Run Trivy dependency scan
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'sarif'
	output: 'trivy-deps-results.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW'
	scanners: 'vuln'
	exit-code: '0' # Don't fail on this scan, we'll check results separately

	- name: Check for critical and high vulnerabilities
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'table'
	severity: 'CRITICAL,HIGH'
	exit-code: '1' # Fail if critical or high vulnerabilities found

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: always() && github.event_name == 'pull_request' && github.base_ref == 'main'
	with:
	sarif_file: 'trivy-fs-results.sarif'
	category: 'trivy-filesystem'

	- name: Upload Trivy dependency scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: always() && github.event_name == 'pull_request' && github.base_ref == 'main'
	with:
	sarif_file: 'trivy-deps-results.sarif'
	category: 'trivy-dependencies'

	bandit-scan:
	name: Bandit
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	actions: read
	contents: read
	checks: write

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.12"
	cache: "pip"

	- name: Create virtual environment
	run: \|
	python -m pip install --upgrade pip
	python -m venv .venv

	- name: Install dependencies
	run: \|
	source .venv/bin/activate
	pip install -e ".[dev]"

	- name: Install Bandit
	run: \|
	source .venv/bin/activate
	pip install bandit[sarif]

	- name: Run Bandit Security Scan
	uses: PyCQA/bandit-action@v1
	with:
	targets: "."
	exclude: "tests"

	- name: Upload SARIF results to Security tab
	if: github.ref == 'refs/heads/main'
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: results.sarif
	category: bandit-security-scan

	- name: Upload SARIF as artifact
	uses: actions/upload-artifact@v4
	with:
	name: bandit-sarif-results
	path: results.sarif
	retention-days: 30
	continue-on-error: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: update to lls version 0.3.5 for test purposes #130

Workflow file

chore: update to lls version 0.3.5 for test purposes #130

Uh oh!

Workflow file for this run