Vulnerability actions#

Vulnerability actions verify that any safety advisories detected in a Python library are properly identified and reported, both on the library itself and third-party libraries (that is, dependencies).

Check vulnerabilities action#

Note

Users can try out the ansys/check-vulnerabilities action on their local repository by doing the following:

  1. Download the check_vulnerabilities.py script and the requirements.txt file from the ansys/check-vulnerabilities action folder.

  2. Move the downloaded files to the root of the repository.

  3. Create a virtual environment by running python -m venv .venv.

  4. Activate the virtual environment.

  5. Install the required dependencies by running pip install -r requirements.txt.

  6. Install your repository with the command pip install -e ..

  7. Define the following environment variables:

    • DEPENDENCY_CHECK_TOKEN: A GitHub token with the necessary permissions to access security advisories on the repository you are interested in.

    • DEPENDENCY_CHECK_PACKAGE_NAME: The Python package name of your repository. This is the name of the package that you would use in a pip install command.

    • DEPENDENCY_CHECK_REPOSITORY: The full name of the repository you are interested in. This is the name of the repository in the format <owner>/<repository>.

  8. Run the script by running python check_vulnerabilities.py --run-local.

Warning

The ansys/check-vulnerabilities action needs to be performed on a public repository. If the repository is private, the action will fail due to denied access.

Action actively checking for library and third party vulnerabilities by means of the bandit and safety Python packages. These packages allow you to identify security issues and vulnerabilities inside your code.

This action has two running modes:

  • Default mode: when running on default mode, if a security advisory is detected, this action will publish both the security advisory and an issue so that end users are informed about existing issues.

  • Development mode: repository maintainers are asked to activate the dev-mode option, which will activate both dry-run and exit-with-error-on-new-advisory (independently of other configurations provided). This way developers are informed of potential vulnerabilities being introduced by them on their feature branch (while no new advisories are created).

The following list of safety vulnerabilities are accepted:

Accepted safety vulnerabilities

Source code for this action

Input

Description

Required

Type

Default

token

Token with write permissions on the repository.

True

string

python-package-name

Python package name being evaluate as it is shown on PyPI.

True

string

extra-targets

Extra targets to be evaluated by safety. By default, it is set to an empty string. This gets substituted to the library install command as follows (inside <INPUT>):

# For pip install
pip install .[<INPUT>]
# For poetry install
poetry install --extras '<INPUT>'

False

string

source-directory

The source folder of the repository to be evaluated by bandit. By default, it is set to src

False

string

src

repo-full-name

The repository to be evaluated. By default, it is extracted from the GitHub context.

False

string

dev-mode

Whether to run or not this action in development mode. It will activate by default the dry-run and exit-with-error-on-new-advisory flags.

False

boolean

False

dry-run

Whether to run or not this action in dry run mode. Dry run mode executes all the action steps and prints on screen the results (if any).

False

boolean

False

exit-with-error-on-new-advisory

Whether to exit the action on error if a new advisory is detected. This mode is not recommended on main branches since it will cause the workflow to fail. To be used on feature branches in combination with dry-run mode.

False

boolean

False

hide-log

Whether to hide the output log of the GitHub action. By default, the log is available to anyone for public repositories. This would disclose any potential vulnerabilities to anyone.

False

boolean

True

upload-reports

Whether to upload the artifacts containing the vulnerability report. By default, the report artifacts will not be uploaded to hide any potential vulnerabilities?

False

boolean

False

create-issues

Whether to create issues for new advisories detected. By default, issues are NOT created for new advisories detected.

False

boolean

False

checkout

Whether to clone the repository in the CI/CD machine. Default value is true.

False

boolean

True

python-version

Desired Python version.

False

string

3.11

use-uv

Whether to use uv as the default package manager instead of pip. Default value is true.

False

boolean

True

Examples#

Check library vulnerabilities
check-vulnerabilities:
  name: "Check library vulnerabilities"
  runs-on: ubuntu-latest
  steps:
    - uses: ansys/actions/check-vulnerabilities@main
      with:
        python-version: ${{ env.MAIN_PYTHON_VERSION }}
        token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
        python-package-name: 'ansys-<product>-<library>'
        dev-mode: ${{ github.ref != "refs/heads/main" }}

Check actions security action#

This action helps audit GitHub workflows for vulnerabilities. It finds many common security issues in typical GitHub Actions CI/CD setups using zizmor.

Source code for this action

Input

Description

Required

Type

Default

token

Use the GH_TOKEN to allow online audits by zizmor.

False

string

generate-summary

Whether to output a nicely formatted summary table showing the number of security issues per workflow file. Default value is true.

False

boolean

True

auditing-level

Equivalent to ‘persona’ zizmor option, controls zizmor’s auditing sensitivity. Possible values include ‘normal’, ‘high’, and ‘strict’, which map to ‘regular’, ‘pedantic’, and ‘auditor’ persona options. Default value is high.

False

string

high

trust-ansys-actions

Whether to trust the ansys/actions. Setting this option to true will allow pinning ansys/actions with tags. This option is ignored if a custom zizmor.yml file is detected in the repository. Default value is true.

False

boolean

True

Examples#

Check actions security
actions-security:
  name: "Check actions security"
  runs-on: ubuntu-latest
  steps:
    - uses: ansys/actions/check-actions-security@main
      with:
        generate-summary: true
        token: ${{ secrets.GITHUB_TOKEN }}
        auditing-level: 'high'
        trust-ansys-actions: true

Check environment approval#

This action is used to determine whether a manual approval step is needed in the workflow. It evaluates the pull request workflow and determines the environment name to be used in the workflow. The environment name should then be used in a workflow job to trigger a manual approval step if needed.

Evaluates the pull request workflow and determines the environment name to be used in the workflow. The environment name should then be used in a workflow to trigger a manual approval step if needed.

The environment name is set to the manual-check-environment input if the workflow is triggered by dependabot[bot] or if the pull request was created by dependabot[bot] and pyansys-ci-bot is the actor triggering the workflow. Otherwise, it is set to skip-manual-check-environment input.

The manual check is required to mitigate supply chain attacks, where a malicious dependency update could execute arbitrary code in our build environment. Dependabot PRs must be reviewed carefully and approved manually before running the CI.

Note

This action relies on the Github context to determine which environment to use. The manual approval can be added by referencing the Github environment in a workflow job and configuring the environment with deployment protection rules requiring a manual approval. For more information, see how to add required reviewers.

Source code for this action

Input

Description

Required

Type

Default

manual-check-environment

Name of the environment used to trigger manual checking.

False

string

dependabot

skip-manual-check-environment

Name of the environment used to skip the manual checking. This is useful when the workflow is triggered by a different actor than dependabot.

False

string

Examples#

Check environment approval
check-environment-approval:
  name: Check environment approval
  runs-on: ubuntu-latest
  outputs:
    environment: ${{ steps.block.outputs.environment }}
  steps:
    - name: Decide which environment should be used
      id: block
      uses: ansys/actions/check-environment-approval@main

check-dependabot-pr:
  needs: [check-environment-approval]
  name: Manual approval (on dependabot PRs)
  runs-on: ubuntu-latest
  environment: ${{ needs.check-environment-approval.outputs.environment }}
  steps:
    - name: Proceed after approval
      if: ${{ needs.check-environment-approval.outputs.environment == 'dependabot' }}
      run: |
        echo "::notice::Workflow approved."
    - name: Approval skipped
      if: ${{ needs.check-environment-approval.outputs.environment == '' }}
      run: |
        echo "::notice::Workflow approval skipped."