Add Automated Security Scanning to CI Pipeline #51
Description
Description
CI pipeline doesn't include automated security scanning for dependencies or code vulnerabilities.
Tasks
- Add Bandit for Python security issues
- Add Safety for dependency vulnerabilities
- Add Dependabot for automated dependency updates
- Configure GitHub Security Advisories
- Add SAST (Static Application Security Testing)
- Document security scanning process
Implementation
# .github/workflows/security.yml
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install dependencies
run: |
pip install bandit safety
pip install -r requirements.txt
- name: Run Bandit security scan
run: bandit -r payfast/ -f json -o bandit-report.json
- name: Check dependencies with Safety
run: safety check --json
- name: Upload results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: bandit-report.jsonDependabot Configuration
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10Acceptance Criteria
- Security scans run automatically
- Vulnerabilities reported in PR
- Dependabot creates update PRs
- Documentation explains security process