Vulnerability actions#

Vulnerability actions verify that any safety advisories detected in a Python library are properly identified and reported, both on the library itself and third-party libraries (that is, dependencies).

Check vulnerabilities action#

Note

Users can try out the ansys/check-vulnerabilities action on their local repository by doing the following:

Download the check_vulnerabilities.py script and the requirements.txt file from the ansys/check-vulnerabilities action folder.
Move the downloaded files to the root of the repository.
Create a virtual environment by running python -m venv .venv.
Activate the virtual environment.
Install the required dependencies by running pip install -r requirements.txt.
Install your repository with the command pip install -e ..
Define the following environment variables:
- DEPENDENCY_CHECK_TOKEN: A GitHub token with the necessary permissions to access security advisories on the repository you are interested in.
- DEPENDENCY_CHECK_PACKAGE_NAME: The Python package name of your repository. This is the name of the package that you would use in a pip install command.
- DEPENDENCY_CHECK_REPOSITORY: The full name of the repository you are interested in. This is the name of the repository in the format <owner>/<repository>.
Run the script by running python check_vulnerabilities.py --run-local.

Warning

The ansys/check-vulnerabilities action needs to be performed on a public repository. If the repository is private, the action will fail due to denied access.

Documentation on how to address common vulnerabilities can be found in the PyAnsys developer’s guide.

Action actively checking for library and third party vulnerabilities by means of the bandit and safety Python packages. These packages allow you to identify security issues and vulnerabilities inside your code.

This action has two running modes:

Default mode: when running on default mode, if a security advisory is detected, this action will publish both the security advisory and an issue so that end users are informed about existing issues.
Development mode: repository maintainers are asked to activate the dev-mode option, which will activate both dry-run and exit-with-error-on-new-advisory (independently of other configurations provided). This way developers are informed of potential vulnerabilities being introduced by them on their feature branch (while no new advisories are created).

The following list of safety vulnerabilities are accepted:

Accepted safety vulnerabilities

No safety vulnerabilities are accepted at this moment.

Important

Required GitHub Permissions

contents: read - Required to checkout repository code when the repository is not public
security-events: write - Required to create security advisories
issues: write - Required to create issues (only when create-issues is set to true)

Source code for this action

Input	Description	Required	Type	Default
token	Token with write permissions on the repository.	True	string
python-package-name	Python package name being evaluate as it is shown on PyPI.	True	string
extra-targets	Extra targets to be evaluated by safety. By default, it is set to an empty string. In case the library is installed (default behavior with `skip-install` set to `false`), this gets substituted into the install command as follows (inside <INPUT>): # For pip install pip install .[<INPUT>] # For poetry install poetry install --extras '<INPUT>' If project installation is skipped (`skip-install` set to `true` - for pure documentation projects), this input can be used to specify the suffix of a requirements file found in the `/requirements` folder of the project. In that case, setting for instance `extra-targets: 'doc'` will therefore let safety evaluate targets listed in the `requirements/requirements_doc.txt` file.	False	string
bandit-configfile	Optional config file to use for selecting plugins, overriding defaults, and customizing checks performed by bandit. Path location should be relative to the repository root. If the provided file does not exist, the action will fail with an error.	False	string
safety-configfile	Path to a custom .safety-ignore.yml policy file to use with safety. If not provided, the action will use its default policy file. Path location should be relative to the repository root. For instance, if the policy file is located in the `/config` folder of the repository and is named `my-safety-policy.yml`, the input should be set to `config/my-safety-policy.yml`. If the provided file does not exist, the action will fail with an error.	False	string
source-directory	The source folder of the repository to be evaluated by bandit. By default, it is set to `src`	False	string	src
repo-full-name	The repository to be evaluated. By default, it is extracted from the GitHub context.	False	string
dev-mode	Whether to run or not this action in development mode. It will activate by default the `dry-run` and `exit-with-error-on-new-advisory` flags.	False	boolean	False
dry-run	Whether to run or not this action in dry run mode. Dry run mode executes all the action steps and prints on screen the results (if any).	False	boolean	False
exit-with-error-on-new-advisory	Whether to exit the action on error if a new advisory is detected. This mode is not recommended on `main` branches since it will cause the workflow to fail. To be used on `feature` branches in combination with `dry-run` mode.	False	boolean	False
hide-log	Whether to hide the output log of the GitHub action. By default, the log is available to anyone for public repositories. This would disclose any potential vulnerabilities to anyone.	False	boolean	True
upload-reports	Whether to upload the artifacts containing the vulnerability report. By default, the report artifacts is not uploaded. This option should not be enabled unless strictly necessary.	False	boolean	False
create-issues	Whether to create issues for new advisories detected. By default, issues are NOT created for new advisories detected.	False	boolean	False
checkout	Whether to clone the repository in the CI/CD machine. Default value is `true`.	False	boolean	True
skip-install	Whether to skip the installation of the project. Pure documentation projects require that this input be set to `true` because there is no Python library associated with the project.	False	boolean	False
python-version	Desired Python version.	False	string	3.11
use-uv	Whether to use uv as the default package manager instead of pip. Default value is `true`.	False	boolean	True

Examples#

Check actions security action#

Note

zizmor is configurable with a zizmor.yml file. This action uses this behind the scenes for the trust-ansys-actions option. If a custom zizmor.yml exists in the repository root, it takes precedence and the option is ignored. Refer to the zizmor configuration settings for details about setting up custom configuration.

To audit locally for faster feedback when addressing vulnerabilities:

Create a virtual environment with python -m venv .venv and activate it.
Install zizmor: pip install zizmor==1.16.0.
If the repository doesn’t use a custom zizmor.yml file, download the zizmor.yml file from the ansys/action check-actions-security folder and move it to the root of the repository.
1. If trust-ansys-actions has been set to false in the workflow (i.e., you pin ansys/actions with a SHA instead of a tag), you must edit the default policies in zizmor.yml as follows:
  Before
  rules: unpinned-uses: config: policies: ansys/*: ref-pin actions/*: hash-pin
  After
  rules: unpinned-uses: config: policies: ansys/*: hash-pin actions/*: hash-pin
Run zizmor --persona=pedantic . for a minimal audit (action’s default) or zizmor --persona=auditor . for a stricter audit.
To generate a summary table locally:
- Download the zizmor-summary.py file from the ansys/action python utilities folder and move it to the root of the repository.
- Set one of the following environment variables:
  - HIGH_AUDIT_LEVEL=--persona=pedantic for minimal audit.
  - STRICT_AUDIT_LEVEL=--persona=auditor for stricter audit.
- Run the script: python zizmor-summary.py.

For more details on addressing workflow vulnerabilities, see the relevant PyAnsys developer’s guide section.

This action helps audit GitHub workflows for vulnerabilities. It finds many common security issues in typical GitHub Actions CI/CD setups using zizmor. Consult zizmor audit rules for more information about detected issues and how to remediate them.

Important

Required GitHub Permissions

contents: read - Required to checkout repository code when the repository is not public

Source code for this action

Input	Description	Required	Type	Default
token	Use the `GH_TOKEN` to allow online audits by zizmor.	False	string
generate-summary	Whether to output a nicely formatted summary table showing the number of security issues per workflow file. Default value is `true`.	False	boolean	True
auditing-level	Equivalent to ‘persona’ zizmor option, controls zizmor’s auditing sensitivity. Possible values include ‘normal’, ‘high’, and ‘strict’, which map to ‘regular’, ‘pedantic’, and ‘auditor’ persona options. Default value is `high`.	False	string	high
trust-ansys-actions	Whether to trust the `ansys/actions`. Setting this option to true will allow pinning `ansys/actions` with tags. This option is ignored if a custom `zizmor.yml` file is detected in the repository. Default value is `true`.	False	boolean	True
checkout	Whether to do a checkout step or not. If `true`, the checkout step is performed. If `false`, the checkout is skipped allowing the workspace from a prior step to be used unaltered. By default it is set to `true`.	False	boolean	True