Vulnerability actions#

Vulnerability actions verify that any safety advisories detected in a Python library are properly identified and reported, both on the library itself and third-party libraries (that is, dependencies).

Check vulnerabilities action#

Note

Users can try out the ansys/check-vulnerabilities action on their local repository by doing the following:

Download the check_vulnerabilities.py, requirements.txt, and .safety-ignore.yml files from the ansys/check-vulnerabilities action folder.
Move the downloaded files to the root of the repository.

Create a first virtual environment for the project and install the repository:

python -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
pip install -e .

Dump the project dependencies to a file. This step is required to isolate the project dependencies from those of the security tools (safety and bandit), so that the tools’ own packages are not included in the vulnerability scan:
```
pip freeze > requirements-for-safety.txt
deactivate
```

Create a second virtual environment dedicated to the security tools and install them:

python -m venv .venv_bandit_safety
source .venv_bandit_safety/bin/activate  # On Windows: .venv_bandit_safety\Scripts\activate
pip install -r requirements.txt

Define the following environment variables:
- DEPENDENCY_CHECK_TOKEN: A GitHub token with the necessary permissions to access security advisories on the repository you are interested in.
- DEPENDENCY_CHECK_PACKAGE_NAME: The Python package name of your repository. This is the name of the package that you would use in a pip install command.
- DEPENDENCY_CHECK_REPOSITORY: The full name of the repository you are interested in. This is the name of the repository in the format <owner>/<repository>.
On corporate networks with SSL inspection, connections to external HTTPS endpoints is going to fail with an SSL certificate verification error because the requests library uses ``certifi`’s CA bundle <https://requests.readthedocs.io/en/latest/user/advanced/#ca-certificates>`_ and does not trust the corporate CA by default. Build a combined CA bundle that includes both your corporate root CA and the standard certifi bundle, then point REQUESTS_CA_BUNDLE to it:
```
# Export the corporate root CA from the OS store as PEM,
# then combine it with certifi's public CA bundle:
CA_BUNDLE=$(python -c "import certifi; print(certifi.where())")
cat "$CA_BUNDLE" /path/to/corporate-ca.pem > ~/combined-ca.pem
export REQUESTS_CA_BUNDLE=~/combined-ca.pem
```
Note

Setting REQUESTS_CA_BUNDLE to the corporate CA file alone is not sufficient: it replaces certifi’s bundle entirely, so public CAs (DigiCert, etc.) are no longer trusted. The combined bundle is required when the corporate proxy does not intercept all domains.

Note

Once you are done, you should delete the generated PEM files to keep your environment clean.
Run the script by running python check_vulnerabilities.py --run-local.

Warning

The requirements-for-safety.txt file must be kept up to date for the vulnerability scan to reflect the actual state of your dependencies:

If your dependencies are pinned (for example, package==1.2.3): regenerate
the file whenever you modify the file defining your project dependencies (for example, pyproject.toml).
If your dependencies are not pinned (for example, package>=1.2.0):
regenerate the file before each check as well, since the resolved versions may change over time even without any change to the dependency definitions.

To regenerate, delete requirements-for-safety.txt, then repeat steps 3 and 4 above (reinstall the project in the first virtual environment and run pip freeze > requirements-for-safety.txt again).

Warning

The ansys/check-vulnerabilities action needs to be performed on a public repository. If the repository is private, the action is going to fail due to denied access.

Documentation on how to address common vulnerabilities can be found in the PyAnsys developer’s guide.

Action actively checking for library and third party vulnerabilities by means of the bandit and safety Python packages. These packages allow you to identify security issues and vulnerabilities inside your code.

This action has two running modes:

Default mode: when running on default mode, if a security advisory is detected, this action will publish both the security advisory and an issue so that end users are informed about existing issues.
Development mode: repository maintainers are asked to activate the dev-mode option, which will activate both dry-run and exit-with-error-on-new-advisory (independently of other configurations provided). This way developers are informed of potential vulnerabilities being introduced by them on their feature branch (while no new advisories are created).

The following list of safety vulnerabilities are accepted:

Accepted safety vulnerabilities

No safety vulnerabilities are accepted at this moment.

Important

Required GitHub Permissions

contents: read - Required to checkout repository code when the repository is not public
security-events: write - Required to create security advisories
issues: write - Required to create issues (only when create-issues is set to true)

Source code for this action

Input	Description	Required	Type	Default
token	Token with write permissions on the repository.	True	string
python-package-name	Python package name being evaluate as it is shown on PyPI.	True	string
extra-targets	Extra targets to be evaluated by safety. By default, it is set to an empty string. In case the library is installed (default behavior with `skip-install` set to `false`), this gets substituted into the install command as follows (inside <INPUT>): # For pip install pip install .[<INPUT>] # For poetry install poetry install --extras '<INPUT>' If project installation is skipped (`skip-install` set to `true` - for pure documentation projects), this input can be used to specify the suffix of a requirements file found in the `/requirements` folder of the project. In that case, setting for instance `extra-targets: 'doc'` will therefore let safety evaluate targets listed in the `requirements/requirements_doc.txt` file.	False	string
bandit-configfile	Optional config file to use for selecting plugins, overriding defaults, and customizing checks performed by bandit. Path location should be relative to the repository root. If the provided file does not exist, the action will fail with an error.	False	string
safety-configfile	Path to a custom .safety-ignore.yml policy file to use with safety. If not provided, the action will use its default policy file. Path location should be relative to the repository root. For instance, if the policy file is located in the `/config` folder of the repository and is named `my-safety-policy.yml`, the input should be set to `config/my-safety-policy.yml`. If the provided file does not exist, the action will fail with an error.	False	string
source-directory	The source folder of the repository to be evaluated by bandit. By default, it is set to `src`	False	string	src
repo-full-name	The repository to be evaluated. By default, it is extracted from the GitHub context.	False	string
dev-mode	Whether to run or not this action in development mode. It will activate by default the `dry-run` and `exit-with-error-on-new-advisory` flags.	False	boolean	False
dry-run	Whether to run or not this action in dry run mode. Dry run mode executes all the action steps and prints on screen the results (if any).	False	boolean	False
exit-with-error-on-new-advisory	Whether to exit the action on error if a new advisory is detected. This mode is not recommended on `main` branches since it will cause the workflow to fail. To be used on `feature` branches in combination with `dry-run` mode.	False	boolean	False
hide-log	Whether to hide the output log of the GitHub action. By default, the log is available to anyone for public repositories. This would disclose any potential vulnerabilities to anyone.	False	boolean	True
upload-reports	Whether to upload the artifacts containing the vulnerability report. By default, the report artifacts is not uploaded. This option should not be enabled unless strictly necessary.	False	boolean	False
create-issues	Whether to create issues for new advisories detected. By default, issues are NOT created for new advisories detected.	False	boolean	False
checkout	Whether to clone the repository in the CI/CD machine. Default value is `true`.	False	boolean	True
skip-install	Whether to skip the installation of the project. Pure documentation projects require that this input be set to `true` because there is no Python library associated with the project.	False	boolean	False
python-version	Desired Python version.	False	string	3.11
use-uv	Whether to use uv as the default package manager instead of pip. Default value is `true`.	False	boolean	True

Examples#

Check actions security action#

Note

zizmor is configurable with a zizmor.yml file. This action uses this behind the scenes for the trust-ansys-actions option. If a custom zizmor.yml exists in the repository root, it takes precedence and the option is ignored. Refer to the zizmor configuration settings for details about setting up custom configuration.

To audit locally for faster feedback when addressing vulnerabilities:

Create a virtual environment with python -m venv .venv and activate it.
Install zizmor: pip install zizmor==1.23.1.
If the repository doesn’t use a custom zizmor.yml file, download the zizmor.yml file from the ansys/action check-actions-security folder and move it to the root of the repository.
1. If trust-ansys-actions has been set to false in the workflow (i.e., you pin ansys/actions with a SHA instead of a tag), you must edit the default policies in zizmor.yml as follows:
  Before
  rules: unpinned-uses: config: policies: ansys/*: ref-pin actions/*: hash-pin
  After
  rules: unpinned-uses: config: policies: ansys/*: hash-pin actions/*: hash-pin
Run zizmor --persona=pedantic . for a minimal audit (action’s default) or zizmor --persona=auditor . for a stricter audit.
To generate a summary table locally:
- Download the zizmor-summary.py file from the ansys/action python utilities folder and move it to the root of the repository.
- Set one of the following environment variables:
  - HIGH_AUDIT_LEVEL=--persona=pedantic for minimal audit.
  - STRICT_AUDIT_LEVEL=--persona=auditor for stricter audit.
- Run the script: python zizmor-summary.py.

For more details on addressing workflow vulnerabilities, see the relevant PyAnsys developer’s guide section.

This action helps audit GitHub workflows for vulnerabilities. It finds many common security issues in typical GitHub Actions CI/CD setups using zizmor. Consult zizmor audit rules for more information about detected issues and how to remediate them.

Important

Required GitHub Permissions

contents: read - Required to checkout repository code when the repository is not public

Source code for this action

Input	Description	Required	Type	Default
token	Use the `GH_TOKEN` to allow online audits by zizmor.	False	string
generate-summary	Whether to output a nicely formatted summary table showing the number of security issues per workflow file. Default value is `true`.	False	boolean	True
auditing-level	Equivalent to ‘persona’ zizmor option, controls zizmor’s auditing sensitivity. Possible values include ‘normal’, ‘high’, and ‘strict’, which map to ‘regular’, ‘pedantic’, and ‘auditor’ persona options. Default value is `high`.	False	string	high
trust-ansys-actions	Whether to trust the `ansys/actions`. Setting this option to true will allow pinning `ansys/actions` with tags. This option is ignored if a custom `zizmor.yml` file is detected in the repository. Default value is `true`.	False	boolean	True
checkout	Whether to do a checkout step or not. If `true`, the checkout step is performed. If `false`, the checkout is skipped allowing the workspace from a prior step to be used unaltered. By default it is set to `true`.	False	boolean	True