3f096c71ff
Co-authored-by: claude <claude@jpaul.io> Co-committed-by: claude <claude@jpaul.io>
43 lines
1.7 KiB
YAML
43 lines
1.7 KiB
YAML
# ci-security.yml — the security gate as a CI step (Module 15).
|
|
#
|
|
# This is a PROVIDER-NEUTRAL snippet, not a drop-in file. The YAML below uses the widely-shared
|
|
# "workflow / job / steps" shape that most hosted and self-hosted CI systems understand (the exact
|
|
# top-level keys and runner labels follow whatever host you set up in Module 14). Copy the *steps*
|
|
# into the pipeline you already have rather than adding a second, competing workflow.
|
|
#
|
|
# The contract is the same on every platform:
|
|
# 1. check out the code
|
|
# 2. install the scanners
|
|
# 3. run the gate (security-scan.sh), which exits non-zero on any finding -> the job goes red
|
|
#
|
|
# Because the real logic lives in security-scan.sh, this file stays tiny and your local run and your
|
|
# CI run can never drift apart.
|
|
|
|
name: security
|
|
|
|
on: [push, pull_request] # run on the same events as your Module 14 build/test job
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: ubuntu-latest # or your self-hosted runner label (Module 19)
|
|
steps:
|
|
- name: Check out the code
|
|
uses: actions/checkout@v7
|
|
# Secret scanning cares about history. If your tool scans commits (not just the working
|
|
# tree), fetch full history here — e.g. set `with: { fetch-depth: 0 }`.
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v6
|
|
with:
|
|
python-version: "3.x"
|
|
|
|
- name: Install scanners
|
|
run: pip install pip-audit detect-secrets
|
|
|
|
- name: Run the security gate
|
|
run: |
|
|
chmod +x security-scan.sh
|
|
./security-scan.sh
|
|
# Non-zero exit fails the job. Require this job to pass before merge (branch protection on
|
|
# your remote, Module 8/10) and the gate actually has teeth.
|