forked from music-assistant/server
-
Notifications
You must be signed in to change notification settings - Fork 2
464 lines (394 loc) · 19.6 KB
/
dependency-security.yml
File metadata and controls
464 lines (394 loc) · 19.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
# Dependency Security Check Workflow
# Checks Python dependencies for security vulnerabilities and supply chain risks
name: Dependency Security Check
on:
pull_request_target:
types: [opened, synchronize, reopened, labeled]
paths:
- "requirements_all.txt"
- "**/manifest.json"
- "pyproject.toml"
branches:
- stable
- dev
permissions:
contents: read
pull-requests: write
issues: write # Needed to post PR comments
jobs:
security-check:
runs-on: ubuntu-latest
steps:
- name: Check out code from GitHub
uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 # Need full history for diff
- name: Detect automated dependency PRs
id: pr_type
run: |
PR_AUTHOR="${{ github.event.pull_request.user.login }}"
PR_LABELS="${{ toJson(github.event.pull_request.labels.*.name) }}"
# Check if PR is from dependabot, renovate, or has auto-merge label
if [[ "$PR_AUTHOR" == "dependabot[bot]" ]] || \
[[ "$PR_AUTHOR" == "renovate[bot]" ]] || \
echo "$PR_LABELS" | grep -q "auto-merge"; then
echo "is_automated=true" >> $GITHUB_OUTPUT
echo "✅ Detected automated dependency update PR - will auto-approve security checks"
else
echo "is_automated=false" >> $GITHUB_OUTPUT
fi
- name: Set up Python
uses: actions/setup-python@v6.2.0
with:
python-version: "3.12"
- name: Install security tools
run: |
pip install pip-audit
# Step 1: Verify requirements_all.txt is in sync
- name: Check requirements_all.txt sync
id: req_sync
run: |
# Save current requirements_all.txt
cp requirements_all.txt requirements_all.txt.original
# Regenerate requirements_all.txt
python3 scripts/gen_requirements_all.py
# Check if it changed
if ! diff -q requirements_all.txt.original requirements_all.txt > /dev/null; then
echo "status=out_of_sync" >> $GITHUB_OUTPUT
echo "⚠️ **requirements_all.txt is out of sync**" > sync_report.md
echo "" >> sync_report.md
echo "The \`requirements_all.txt\` file should be auto-generated from \`pyproject.toml\` and provider manifests." >> sync_report.md
echo "" >> sync_report.md
echo "**Action required:** Run \`python scripts/gen_requirements_all.py\` and commit the changes." >> sync_report.md
# Restore original
mv requirements_all.txt.original requirements_all.txt
else
echo "status=synced" >> $GITHUB_OUTPUT
echo "✅ requirements_all.txt is properly synchronized" > sync_report.md
rm requirements_all.txt.original
fi
# Step 2: Run pip-audit for known vulnerabilities
- name: Run pip-audit on all requirements
id: pip_audit
continue-on-error: true
run: |
echo "## 🔍 Vulnerability Scan Results" > audit_report.md
echo "" >> audit_report.md
if pip-audit -r requirements_all.txt --desc --format=markdown >> audit_report.md 2>&1; then
echo "status=pass" >> $GITHUB_OUTPUT
echo "✅ No known vulnerabilities found" >> audit_report.md
else
echo "status=fail" >> $GITHUB_OUTPUT
echo "" >> audit_report.md
echo "⚠️ **Vulnerabilities detected! Please review the findings above.**" >> audit_report.md
fi
cat audit_report.md
# Step 2: Detect new or changed dependencies
- name: Detect dependency changes
id: deps_check
run: |
# Get base branch (dev or stable)
BASE_BRANCH="${{ github.base_ref }}"
# Check for changes in requirements_all.txt
if git diff origin/$BASE_BRANCH...HEAD -- requirements_all.txt > /dev/null 2>&1; then
# Extract added lines (new or modified dependencies)
git diff origin/$BASE_BRANCH...HEAD -- requirements_all.txt | \
grep "^+" | grep -v "^+++" | sed 's/^+//' > new_deps_raw.txt || true
# Also check for version changes (lines that were modified)
git diff origin/$BASE_BRANCH...HEAD -- requirements_all.txt | \
grep "^-" | grep -v "^---" | sed 's/^-//' > old_deps_raw.txt || true
if [ -s new_deps_raw.txt ]; then
echo "has_changes=true" >> $GITHUB_OUTPUT
echo "## 📦 Dependency Changes Detected" > deps_report.md
echo "" >> deps_report.md
echo "The following dependencies were added or modified:" >> deps_report.md
echo "" >> deps_report.md
echo '```diff' >> deps_report.md
git diff origin/$BASE_BRANCH...HEAD -- requirements_all.txt >> deps_report.md
echo '```' >> deps_report.md
echo "" >> deps_report.md
# Extract just package names for safety check
cat new_deps_raw.txt | grep -v "^#" | grep -v "^$" > new_deps.txt || true
if [ -s new_deps.txt ]; then
echo "New/modified packages to review:" >> deps_report.md
cat new_deps.txt | while read line; do
echo "- \`$line\`" >> deps_report.md
done
fi
else
echo "has_changes=false" >> $GITHUB_OUTPUT
echo "No dependency changes detected in requirements_all.txt" > deps_report.md
fi
else
echo "has_changes=false" >> $GITHUB_OUTPUT
echo "No dependency changes detected" > deps_report.md
fi
cat deps_report.md
# Step 3: Check manifest.json changes
- name: Check provider manifest changes
id: manifest_check
run: |
BASE_BRANCH="${{ github.base_ref }}"
# Find all changed manifest.json files
CHANGED_MANIFESTS=$(git diff --name-only origin/$BASE_BRANCH...HEAD | grep "manifest.json" || true)
if [ -n "$CHANGED_MANIFESTS" ]; then
echo "## 📋 Provider Manifest Changes" > manifest_report.md
echo "" >> manifest_report.md
HAS_REQ_CHANGES=false
for manifest in $CHANGED_MANIFESTS; do
# Check if requirements actually changed
OLD_REQS=$(git show origin/$BASE_BRANCH:$manifest 2>/dev/null | python3 -c "import sys, json; data=json.load(sys.stdin); print(' '.join(data.get('requirements', [])))" 2>/dev/null || echo "")
NEW_REQS=$(cat $manifest | python3 -c "import sys, json; data=json.load(sys.stdin); print(' '.join(data.get('requirements', [])))" 2>/dev/null || echo "")
if [ "$OLD_REQS" != "$NEW_REQS" ]; then
HAS_REQ_CHANGES=true
echo "### \`$manifest\`" >> manifest_report.md
echo "" >> manifest_report.md
# Save old and new versions for comparison
git show origin/$BASE_BRANCH:$manifest > /tmp/old_manifest.json 2>/dev/null || echo '{"requirements":[]}' > /tmp/old_manifest.json
cp $manifest /tmp/new_manifest.json
# Use Python script to parse dependency changes
python3 scripts/parse_manifest_deps.py /tmp/old_manifest.json /tmp/new_manifest.json >> manifest_report.md
echo "" >> manifest_report.md
fi
done
if [ "$HAS_REQ_CHANGES" = "true" ]; then
echo "has_changes=true" >> $GITHUB_OUTPUT
else
echo "has_changes=false" >> $GITHUB_OUTPUT
echo "Manifest files changed but no dependency changes detected" > manifest_report.md
fi
else
echo "has_changes=false" >> $GITHUB_OUTPUT
echo "No provider manifest changes detected" > manifest_report.md
fi
cat manifest_report.md
# Step 4: Run package safety check on new dependencies
- name: Check new package safety
id: safety_check
if: steps.deps_check.outputs.has_changes == 'true'
continue-on-error: true
run: |
echo "## 🛡️ Supply Chain Security Check" > safety_report.md
echo "" >> safety_report.md
if [ -f new_deps.txt ] && [ -s new_deps.txt ]; then
# Run our custom safety check script
python scripts/check_package_safety.py new_deps.txt > safety_output.txt 2>&1
SAFETY_EXIT=$?
cat safety_output.txt >> safety_report.md
echo "" >> safety_report.md
# Parse automated check results
if grep -q "✅.*Trusted Sources.*All packages" safety_output.txt; then
echo "trusted_sources=pass" >> $GITHUB_OUTPUT
else
echo "trusted_sources=fail" >> $GITHUB_OUTPUT
fi
if grep -q "✅.*Typosquatting.*No suspicious" safety_output.txt; then
echo "typosquatting=pass" >> $GITHUB_OUTPUT
else
echo "typosquatting=fail" >> $GITHUB_OUTPUT
fi
if grep -q "✅.*License.*All licenses" safety_output.txt; then
echo "license=pass" >> $GITHUB_OUTPUT
else
echo "license=fail" >> $GITHUB_OUTPUT
fi
if [ $SAFETY_EXIT -eq 2 ]; then
echo "status=high_risk" >> $GITHUB_OUTPUT
echo "" >> safety_report.md
echo "⚠️ **HIGH RISK PACKAGES DETECTED**" >> safety_report.md
echo "Manual security review is **required** before merging this PR." >> safety_report.md
elif [ $SAFETY_EXIT -eq 1 ]; then
echo "status=medium_risk" >> $GITHUB_OUTPUT
echo "" >> safety_report.md
echo "⚠️ **MEDIUM RISK PACKAGES DETECTED**" >> safety_report.md
echo "Please review the warnings above before merging." >> safety_report.md
else
echo "status=pass" >> $GITHUB_OUTPUT
fi
else
echo "No new dependencies to check" >> safety_report.md
echo "status=pass" >> $GITHUB_OUTPUT
echo "trusted_sources=pass" >> $GITHUB_OUTPUT
echo "typosquatting=pass" >> $GITHUB_OUTPUT
echo "license=pass" >> $GITHUB_OUTPUT
fi
cat safety_report.md
# Step 5: Combine all reports and post as PR comment
- name: Create combined security report
id: report
run: |
echo "# 🔒 Dependency Security Report" > security_report.md
echo "" >> security_report.md
if [ "${{ steps.deps_check.outputs.has_changes }}" == "true" ] || [ "${{ steps.manifest_check.outputs.has_changes }}" == "true" ]; then
# 1. Show sync status if out of sync
if [ "${{ steps.req_sync.outputs.status }}" == "out_of_sync" ]; then
cat sync_report.md >> security_report.md
echo "" >> security_report.md
echo "---" >> security_report.md
echo "" >> security_report.md
fi
# 2. Modified Dependencies Section (consolidated)
echo "## 📦 Modified Dependencies" >> security_report.md
echo "" >> security_report.md
# Combine requirements_all.txt and manifest changes
HAS_DEPS=false
if [ "${{ steps.manifest_check.outputs.has_changes }}" == "true" ]; then
cat manifest_report.md | grep -v "^## " >> security_report.md
HAS_DEPS=true
fi
if [ "${{ steps.deps_check.outputs.has_changes }}" == "true" ]; then
if [ "$HAS_DEPS" = "true" ]; then
echo "" >> security_report.md
fi
cat deps_report.md | grep -v "^## " >> security_report.md
fi
echo "" >> security_report.md
echo "---" >> security_report.md
echo "" >> security_report.md
# 3. Vulnerability Scan Results
cat audit_report.md >> security_report.md
echo "" >> security_report.md
echo "---" >> security_report.md
echo "" >> security_report.md
# 4. Automated Security Checks
echo "### Automated Security Checks" >> security_report.md
echo "" >> security_report.md
# Vulnerability scan check
if [ "${{ steps.pip_audit.outputs.status }}" == "fail" ]; then
echo "- ❌ **Vulnerability Scan**: Failed - Known vulnerabilities detected" >> security_report.md
else
echo "- ✅ **Vulnerability Scan**: Passed - No known vulnerabilities" >> security_report.md
fi
# Trusted sources check
if [ "${{ steps.safety_check.outputs.trusted_sources }}" == "fail" ]; then
echo "- ❌ **Trusted Sources**: Some packages missing source repository" >> security_report.md
else
echo "- ✅ **Trusted Sources**: All packages have verified source repositories" >> security_report.md
fi
# Typosquatting check
if [ "${{ steps.safety_check.outputs.typosquatting }}" == "fail" ]; then
echo "- ❌ **Typosquatting Check**: Suspicious package names detected!" >> security_report.md
else
echo "- ✅ **Typosquatting Check**: No suspicious package names detected" >> security_report.md
fi
# License compatibility check
if [ "${{ steps.safety_check.outputs.license }}" == "fail" ]; then
echo "- ⚠️ **License Compatibility**: Some licenses may not be compatible" >> security_report.md
else
echo "- ✅ **License Compatibility**: All licenses are OSI-approved and compatible" >> security_report.md
fi
# Supply chain risk check
if [ "${{ steps.safety_check.outputs.status }}" == "high_risk" ]; then
echo "- ❌ **Supply Chain Risk**: High risk packages detected" >> security_report.md
elif [ "${{ steps.safety_check.outputs.status }}" == "medium_risk" ]; then
echo "- ⚠️ **Supply Chain Risk**: Medium risk - review recommended" >> security_report.md
else
echo "- ✅ **Supply Chain Risk**: Passed - packages appear mature and maintained" >> security_report.md
fi
echo "" >> security_report.md
# Check if automated PR
if [ "${{ steps.pr_type.outputs.is_automated }}" == "true" ]; then
echo "> 🤖 **Automated dependency update** - This PR is from a trusted source (dependabot/renovate) and will be auto-approved if all checks pass." >> security_report.md
echo "" >> security_report.md
fi
echo "### Manual Review" >> security_report.md
echo "" >> security_report.md
echo "**Maintainer approval required:**" >> security_report.md
echo "" >> security_report.md
echo "- [ ] **I have reviewed the changes above and approve these dependency updates**" >> security_report.md
echo "" >> security_report.md
if [ "${{ steps.pr_type.outputs.is_automated }}" == "true" ]; then
echo "_Automated PRs with all checks passing will be auto-approved._" >> security_report.md
else
echo "**To approve:** Comment \`/approve-dependencies\` or manually add the \`dependencies-reviewed\` label." >> security_report.md
fi
else
echo "✅ No dependency changes detected in this PR." >> security_report.md
fi
cat security_report.md
# Add to GitHub job summary (always available, even for forks)
cat security_report.md >> $GITHUB_STEP_SUMMARY
# Step 6: Post comment to PR
- name: Post security report to PR
uses: actions/github-script@v8
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('security_report.md', 'utf8');
// Find existing bot comment
const comments = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const botComment = comments.data.find(comment =>
comment.user.type === 'Bot' &&
comment.body.includes('🔒 Dependency Security Report')
);
if (botComment) {
// Update existing comment
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: report
});
} else {
// Create new comment
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: report
});
}
# Step 7: Check for approval label (if dependencies changed)
- name: Check for security review approval
if: |
(steps.deps_check.outputs.has_changes == 'true' ||
steps.manifest_check.outputs.has_changes == 'true')
uses: actions/github-script@v8
with:
script: |
const labels = context.payload.pull_request.labels.map(l => l.name);
const hasReviewLabel = labels.includes('dependencies-reviewed');
const isAutomated = '${{ steps.pr_type.outputs.is_automated }}' === 'true';
const isHighRisk = '${{ steps.safety_check.outputs.status }}' === 'high_risk';
const hasFailed = '${{ steps.pip_audit.outputs.status }}' === 'fail';
if (isHighRisk) {
core.setFailed('🔴 HIGH RISK dependencies detected! This PR requires thorough security review before merging.');
} else if (hasFailed) {
core.setFailed('🔴 Known vulnerabilities detected! Please address the security issues above.');
} else if (isAutomated) {
// Auto-approve automated PRs if security checks passed
core.info('✅ Automated dependency update with passing security checks - auto-approved');
// Optionally add the label automatically
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
labels: ['dependencies-reviewed']
});
} else if (!hasReviewLabel) {
core.setFailed('⚠️ Dependency changes detected. A maintainer must add the "dependencies-reviewed" label after security review.');
} else {
core.info('✅ Security review approved via "dependencies-reviewed" label');
}
# Step 8: Fail the check if high-risk or vulnerabilities found
- name: Final security status
if: always()
run: |
if [ "${{ steps.pip_audit.outputs.status }}" == "fail" ]; then
echo "❌ Known vulnerabilities found!"
exit 1
fi
if [ "${{ steps.safety_check.outputs.status }}" == "high_risk" ]; then
echo "❌ High-risk packages detected!"
exit 1
fi
if [ "${{ steps.deps_check.outputs.has_changes }}" == "true" ] || [ "${{ steps.manifest_check.outputs.has_changes }}" == "true" ]; then
echo "⚠️ Dependency changes require review"
# Don't fail here - the label check above will handle it
fi
echo "✅ Security checks completed"