diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 00000000000..75b1ea1686c --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,67 @@ +name: "Security" + +on: + push: + branches: [master] + pull_request: + branches: [master] + schedule: + - cron: "0 6 * * 1" + +jobs: + codeql: + name: CodeQL Analysis + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python", "javascript-typescript"] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" + + safety: + name: Dependency Security Scan + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + cache: "pip" + cache-dependency-path: pyproject.toml + + - name: Install project dependencies and safety + run: | + pip install safety + pip install -e ".[ci]" || pip install -e . + + - name: Run safety scan + continue-on-error: true + run: safety scan --output json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5d7a63c7f57..f9c75960e85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,3 +31,15 @@ repos: files: ^infra/templates/|\.jinja2$|^docs/roadmap\.md$ entry: make build-templates pass_filenames: false + + - repo: https://github.com/Yelp/detect-secrets + rev: v1.5.0 + hooks: + - id: detect-secrets + exclude: | + (?x)^( + .*\.lock| + .*requirements.*\.txt| + .*\.svg| + .*\.html + )$