Vulnerability actions#

Vulnerability actions verify that any safety advisories detected in a Python library are properly identified and reported, both on the library itself and third-party libraries (that is, dependencies).

Check vulnerabilities action#

Note

Users can try out the ansys/check-vulnerabilities action on their local repository by doing the following:

  1. Download the check_vulnerabilities.py script and the requirements.txt file from the ansys/check-vulnerabilities action folder.

  2. Move the downloaded files to the root of the repository.

  3. Create a virtual environment by running python -m venv .venv.

  4. Activate the virtual environment.

  5. Install the required dependencies by running pip install -r requirements.txt.

  6. Install your repository with the command pip install -e ..

  7. Define the following environment variables:

    • DEPENDENCY_CHECK_TOKEN: A GitHub token with the necessary permissions to access security advisories on the repository you are interested in.

    • DEPENDENCY_CHECK_PACKAGE_NAME: The Python package name of your repository. This is the name of the package that you would use in a pip install command.

    • DEPENDENCY_CHECK_REPOSITORY: The full name of the repository you are interested in. This is the name of the repository in the format <owner>/<repository>.

  8. Run the script by running python check_vulnerabilities.py --run-local.

Warning

The ansys/check-vulnerabilities action needs to be performed on a public repository. If the repository is private, the action will fail due to denied access.

Action actively checking for library and third party vulnerabilities by means of the bandit and safety Python packages. These packages allow you to identify security issues and vulnerabilities inside your code.

This action has two running modes:

  • Default mode: when running on default mode, if a security advisory is detected, this action will publish both the security advisory and an issue so that end users are informed about existing issues.

  • Development mode: repository maintainers are asked to activate the dev-mode option, which will activate both dry-run and exit-with-error-on-new-advisory (independently of other configurations provided). This way developers are informed of potential vulnerabilities being introduced by them on their feature branch (while no new advisories are created).

The following list of safety vulnerabilities are accepted:

Source code for this action

Input

Description

Required

Type

Default

token

Token with write permissions on the repository.

True

string

python-package-name

Python package name being evaluate as it is shown on PyPI.

True

string

extra-targets

Extra targets to be evaluated by safety. By default, it is set to an empty string. This gets substituted to the library install command as follows (inside <INPUT>):

# For pip install
pip install .[<INPUT>]
# For poetry install
poetry install --extras '<INPUT>'

False

string

source-directory

The source folder of the repository to be evaluated by bandit. By default, it is set to src

False

string

src

repo-full-name

The repository to be evaluated. By default, it is extracted from the GitHub context.

False

string

dev-mode

Whether to run or not this action in development mode. It will activate by default the dry-run and exit-with-error-on-new-advisory flags.

False

boolean

False

dry-run

Whether to run or not this action in dry run mode. Dry run mode executes all the action steps and prints on screen the results (if any).

False

boolean

False

exit-with-error-on-new-advisory

Whether to exit the action on error if a new advisory is detected. This mode is not recommended on main branches since it will cause the workflow to fail. To be used on feature branches in combination with dry-run mode.

False

boolean

False

hide-log

Whether to hide the output log of the GitHub action. By default, the log is available to anyone for public repositories. This would disclose any potential vulnerabilities to anyone.

False

boolean

True

upload-reports

Whether to upload the artifacts containing the vulnerability report. By default, the report artifacts will not be uploaded to hide any potential vulnerabilities?

False

boolean

False

create-issues

Whether to create issues for new advisories detected. By default, issues are NOT created for new advisories detected.

False

boolean

False

checkout

Whether to clone the repository in the CI/CD machine. Default value is true.

False

boolean

True

python-version

Desired Python version.

False

string

3.10

Examples#

Check library vulnerabilities
check-vulnerabilities:
  name: "Check library vulnerabilities"
  runs-on: ubuntu-latest
  steps:
    - uses: ansys/actions/check-vulnerabilities@v8.1
      with:
        python-version: ${{ env.MAIN_PYTHON_VERSION }}
        token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
        python-package-name: 'ansys-<product>-<library>'
        dev-mode: ${{ github.ref != "refs/heads/main" }}