From 32b3dfbcb1b62a0646dbbecbcf890a170d9e7228 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Lucas?= Date: Tue, 27 Jan 2026 09:34:41 +0100 Subject: [PATCH] ci: add security scanning workflow Add automated security checks: - pip-audit for known vulnerabilities in dependencies - CodeQL static analysis for Python code Runs on: - Every push and PR to main - Weekly schedule (Monday 9:00 UTC) for catching new CVEs --- .github/workflows/security.yml | 54 ++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..c2c3d91 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,54 @@ +name: Security + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Run weekly on Monday at 9:00 UTC + - cron: "0 9 * * 1" + +jobs: + dependency-audit: + runs-on: ubuntu-latest + name: Dependency Audit + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install pip-audit + # Install only the dependencies, not the local package + pip install PyYAML requests + + - name: Run pip-audit + run: pip-audit --strict --progress-spinner off + + codeql: + runs-on: ubuntu-latest + name: CodeQL Analysis + permissions: + security-events: write + actions: read + contents: read + + steps: + - uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:python"