Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Gateway | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| permissions: | ||
| contents: read # Чтение содержимого репозитория | ||
| pull-requests: write # Запись в pull request для добавления комментариев | ||
| jobs: | ||
| security-gateway: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.9' | ||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| if [ -f "requirements.txt" ]; then | ||
| echo "Installing dependencies from requirements.txt..." | ||
| pip install -r requirements.txt || { echo "Dependency installation failed!"; exit 1; } | ||
| else | ||
| echo "requirements.txt not found! Skipping dependency installation." | ||
| exit 1 | ||
| fi | ||
| - name: Configure Django settings for testing | ||
| run: | | ||
| echo "Configuring Django settings for testing..." | ||
| # Создаем файл .env, если он не существует | ||
| if [ ! -f ".env" ]; then | ||
| echo "Creating .env file for testing..." | ||
| cat <<EOF > .env | ||
| DEBUG=True | ||
| SECRET_KEY=your_secret_key_for_testing | ||
| DATABASE_URL=postgres://postgres:postgres@localhost:5432/testdb | ||
| EOF | ||
| fi | ||
| # Импортируем переменные окружения из .env | ||
| export $(grep -v '^#' .env | xargs) | ||
| - name: Scan for vulnerabilities with Trivy | ||
| id: trivy-scan | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: fs # Сканирование файловой системы | ||
| severity: CRITICAL,HIGH # Проверка только критических и высоких угроз | ||
| exit-code: '1' # Возвращает ошибку, если найдены уязвимости | ||
| format: json # Форматирует результаты в JSON | ||
| output: trivy-report.json # Сохраняет результаты в файл | ||
| - name: Check Trivy results and stop release if vulnerabilities found | ||
| if: steps.trivy-scan.outcome == 'failure' | ||
| run: | | ||
| echo "Critical or high vulnerabilities found! Stopping the release." | ||
| exit 1 # Останавливаем пайплайн, если найдены критические уязвимости | ||
| - name: Upload Trivy report as artifact | ||
| if: always() # Выполняется всегда | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: trivy-report | ||
| path: trivy-report.json | ||
| - name: Comment on PR with Trivy findings | ||
| if: github.event_name == 'pull_request' && steps.trivy-scan.outcome == 'failure' | ||
| uses: thollander/actions-comment-pull-request@v1 | ||
| with: | ||
| message: | | ||
| ### Security Gateway Alert | ||
| Critical or high vulnerabilities have been detected by Trivy: | ||
| $(cat trivy-report.json | jq -r '.Results[]?.Vulnerabilities[]? | "\(.PkgName): \(.VulnerabilityID) - \(.Severity)"' || echo "No detailed vulnerabilities found.") | ||
| Please address these issues before merging this PR. | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v2 | ||
| with: | ||
| category: "/language:python" # Анализ кода на Python | ||
