deps-security-scan.yaml

name: Dependencies security scan
on:
  pull_request:
    paths:
      - "requiremests*.txt"
      - ".github/workflows/deps-security-scan.yaml"
      - "*.lock"
      - "pyproject.toml"

jobs:
  security-scans:
    runs-on: [self-hosted, noble]
    steps:
      - name: Install tools
        run: |
          sudo snap install --no-wait osv-scanner trivy > ${{ runner.temp }}/snap.watch
          sudo snap install --no-wait --classic astral-uv >> ${{ runner.temp }}/snap.watch
          sudo apt-get update
          sudo apt-get --yes install python3-venv python3-build python-apt-dev
          xargs --arg-file=${{ runner.temp }}/snap.watch -n 1 snap watch
      - uses: actions/checkout@v4
      - name: Prepare venv
        run: |
          pyproject-build
      - name: Scan requirements with osv-scanner
        if: ${{ !cancelled() }}
        run: |
          ls -1 requirements*.txt | xargs -I{} osv-scanner --config=.osv-config.toml --lockfile=requirements.txt:{}
      - name: Scan source directory with osv-scanner
        if: ${{ !cancelled() }}
        run: osv-scanner --config=.osv-config.toml --recursive .
      - name: Scan requirements with trivy
        if: ${{ !cancelled() }}
        run: ls -1 requirements*.txt | xargs -n 1 trivy filesystem--ignorefile .trivyignore.yaml
      - name: Scan installed venv with trivy
        if: ${{ !cancelled() }}
        run: |
          uv venv
          uv pip install -r requirements-dev.txt -r requirements-noble.txt -e .[dev]
          trivy filesystem --ignorefile .trivyignore.yaml .venv
      - name: Scan distributable files with trivy
        if: ${{ !cancelled() }}
        run: ls -1 dist/* | xargs -n 1 trivy filesystem --ignorefile .trivyignore.yaml