nutrient-dws-client-python/.github/workflows/security.yml at c9fa7de0ea30a9fe1c932c0090fb4f4285a58570 · PSPDFKit/nutrient-dws-client-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Security Checks

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 0 * * 0'  # Weekly on Sunday

jobs:
  secret-scanning:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run Gitleaks
      uses: gitleaks/gitleaks-action@v2
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
      continue-on-error: true

    - name: Check for hardcoded secrets
      run: |
        echo "🔍 Scanning for hardcoded secrets..."

        # Check for potential API keys
        if grep -r "nutr_sk_" --include="*.py" --include="*.json" --include="*.yml" --include="*.yaml" --exclude-dir=.venv --exclude-dir=__pycache__ --exclude-dir=.pytest_cache . 2>/dev/null; then
          echo "❌ Found hardcoded API keys!"
          exit 1
        fi

        # Check for base64 encoded secrets (common Nutrient patterns)
        if grep -r "bnV0cl9za18" --include="*.py" --include="*.json" --include="*.yml" --include="*.yaml" --exclude-dir=.venv --exclude-dir=__pycache__ --exclude-dir=.pytest_cache . 2>/dev/null; then
          echo "❌ Found base64 encoded API keys!"
          exit 1
        fi

        # Check for other common secret patterns
        if grep -rE "(sk_|pk_|nutr_sk_)" --include="*.py" --include="*.json" --include="*.yml" --include="*.yaml" --exclude-dir=.venv --exclude-dir=__pycache__ --exclude-dir=.pytest_cache . 2>/dev/null; then
          echo "❌ Found potential secret keys!"
          exit 1
        fi

        # Check for AWS/cloud secrets
        if grep -rE "(AKIA[0-9A-Z]{16}|aws_access_key_id|aws_secret_access_key)" --include="*.py" --include="*.json" --include="*.yml" --include="*.yaml" --exclude-dir=.venv --exclude-dir=__pycache__ --exclude-dir=.pytest_cache . 2>/dev/null; then
          echo "❌ Found potential AWS secrets!"
          exit 1
        fi

        echo "✅ No hardcoded secrets found"

  dependency-check:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.12'
        cache: 'pip'
        cache-dependency-path: 'pyproject.toml'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -e ".[dev]"
        pip install safety bandit

    - name: Run Safety check
      run: |
        echo "🔍 Running Safety security scan..."
        safety check --json --output safety-report.json || echo "⚠️ Safety found issues but continuing..."

        # Display summary if report exists
        if [ -f safety-report.json ]; then
          echo "Safety report generated - check artifacts for details"
        fi
      continue-on-error: true

    - name: Run Bandit security linter
      run: |
        echo "🔍 Running Bandit security linter..."
        bandit -r src/ -f json -o bandit-report.json || echo "⚠️ Bandit found issues but continuing..."

        # Display summary
        bandit -r src/ --severity-level medium || echo "⚠️ Medium+ severity issues found"
      continue-on-error: true

    - name: Upload security scan results
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: security-reports-${{ github.run_number }}
        path: |
          safety-report.json
          bandit-report.json
        retention-days: 30

    - name: Run pip audit (if available)
      run: |
        echo "🔍 Running pip audit..."
        pip install pip-audit || echo "pip-audit not available"
        pip-audit --format=json --output=pip-audit-report.json || echo "⚠️ pip-audit found issues but continuing..."
      continue-on-error: true

  code-quality:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.12'
        cache: 'pip'
        cache-dependency-path: 'pyproject.toml'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -e ".[dev]"

    - name: Run additional security checks with ruff
      run: |
        echo "🔍 Running security-focused linting..."
        python -m ruff check . --select=S  # Security rules
      continue-on-error: true