Skip to content

Add dependency vulnerability scan CI gates #1

Add dependency vulnerability scan CI gates

Add dependency vulnerability scan CI gates #1

Workflow file for this run

name: deps-scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 7 * * 1"
permissions:
contents: read
jobs:
allowlist-expiry:
name: "IntentProof Security: Deps Allowlist"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate dependency allowlist expiry dates
run: bash ./scripts/check-deps-allowlist.sh
pip-audit:
name: "IntentProof Security: pip-audit"
needs: allowlist-expiry
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install package and pip-audit
run: pip install -e ".[dev]" pip-audit
- name: Run pip-audit
run: pip-audit --desc on
osv-scanner:
name: "IntentProof Security: OSV-Scanner"
needs: allowlist-expiry
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run OSV-Scanner
uses: google/osv-scanner-action/osv-scanner-action@v2.2.2
with:
scan-args: |-
--recursive
--config=.osv-scanner.toml
--severity=HIGH,CRITICAL
./