Vulnerability actions#
Vulnerability actions verify that any safety advisories detected in a Python library are properly identified and reported, both on the library itself and third-party libraries (that is, dependencies).
Check vulnerabilities action#
Note
Users can try out the ansys/check-vulnerabilities
action on their local repository
by doing the following:
Download the
check_vulnerabilities.py
script and therequirements.txt
file from the ansys/check-vulnerabilities action folder.Move the downloaded files to the root of the repository.
Create a virtual environment by running
python -m venv .venv
.Activate the virtual environment.
Install the required dependencies by running
pip install -r requirements.txt
.Install your repository with the command
pip install -e .
.Define the following environment variables:
DEPENDENCY_CHECK_TOKEN
: A GitHub token with the necessary permissions to access security advisories on the repository you are interested in.DEPENDENCY_CHECK_PACKAGE_NAME
: The Python package name of your repository. This is the name of the package that you would use in apip install
command.DEPENDENCY_CHECK_REPOSITORY
: The full name of the repository you are interested in. This is the name of the repository in the format<owner>/<repository>
.
Run the script by running
python check_vulnerabilities.py --run-local
.
Warning
The ansys/check-vulnerabilities
action needs to be performed on a public repository.
If the repository is private, the action will fail due to denied access.
Action actively checking for library and third party vulnerabilities by means of the bandit and safety Python packages. These packages allow you to identify security issues and vulnerabilities inside your code.
This action has two running modes:
Default mode: when running on default mode, if a security advisory is detected, this action will publish both the security advisory and an issue so that end users are informed about existing issues.
Development mode: repository maintainers are asked to activate the
dev-mode
option, which will activate bothdry-run
andexit-with-error-on-new-advisory
(independently of other configurations provided). This way developers are informed of potential vulnerabilities being introduced by them on their feature branch (while no new advisories are created).
The following list of safety vulnerabilities are accepted:
Input |
Description |
Required |
Type |
Default |
---|---|---|---|---|
token |
Token with write permissions on the repository. |
True |
string |
|
python-package-name |
Python package name being evaluate as it is shown on PyPI. |
True |
string |
|
extra-targets |
Extra targets to be evaluated by safety. By default, it is set to an empty string. This gets substituted to the library install command as follows (inside <INPUT>): # For pip install
pip install .[<INPUT>]
# For poetry install
poetry install --extras '<INPUT>'
|
False |
string |
|
source-directory |
The source folder of the repository to be evaluated by bandit.
By default, it is set to |
False |
string |
src |
repo-full-name |
The repository to be evaluated. By default, it is extracted from the GitHub context. |
False |
string |
|
dev-mode |
Whether to run or not this action in development mode. It will activate
by default the |
False |
boolean |
False |
dry-run |
Whether to run or not this action in dry run mode. Dry run mode executes all the action steps and prints on screen the results (if any). |
False |
boolean |
False |
exit-with-error-on-new-advisory |
Whether to exit the action on error if a new advisory is detected.
This mode is not recommended on |
False |
boolean |
False |
hide-log |
Whether to hide the output log of the GitHub action. By default, the log is available to anyone for public repositories. This would disclose any potential vulnerabilities to anyone. |
False |
boolean |
True |
upload-reports |
Whether to upload the artifacts containing the vulnerability report. By default, the report artifacts will not be uploaded to hide any potential vulnerabilities? |
False |
boolean |
False |
create-issues |
Whether to create issues for new advisories detected. By default, issues are NOT created for new advisories detected. |
False |
boolean |
False |
checkout |
Whether to clone the repository in the CI/CD machine. Default value is
|
False |
boolean |
True |
python-version |
Desired Python version. |
False |
string |
3.10 |
Examples#
Check library vulnerabilities
check-vulnerabilities:
name: "Check library vulnerabilities"
runs-on: ubuntu-latest
steps:
- uses: ansys/actions/check-vulnerabilities@v8.1
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
python-package-name: 'ansys-<product>-<library>'
dev-mode: ${{ github.ref != "refs/heads/main" }}