๐ก๏ธ Action: Security Audit
Surgical protection for your codebase by scanning dependencies for vulnerabilities and performing static security analysis on Python code.
[!CAUTION] The Security Audit action enforces rigorous security compliance. By combining static Application Security Testing (SAST) with deep dependency vulnerability scanning, it gates Pull Requests that introduce code-level risks or vulnerable third-party modules.
๐ Key Impact
- ๐ Dependency Shield: Scans your
requirements.txtviaSafetyto detect known vulnerabilities in third-party packages. - ๐ Static Analysis: Performs deep security audits of your Python source code using
Banditto identify common security smells. - โ๏ธ Configurable Audits: Skip specific audit rules or toggle between dependency and code scans independently.
- ๐ก๏ธ Shift Left Security: Catches critical security flaws during the CI process before they reach production environments.
๐ ๏ธ Configuration
| Input | Required | Default | Description |
|---|---|---|---|
python-version |
No | 3.11 |
Python runtime version to use for auditing. |
target-path |
No | . |
Directory or file path to scan for code security. |
scan-dependencies |
No | true |
Whether to perform Safety dependency checks. |
scan-code |
No | true |
Whether to perform Bandit static analysis. |
bandit-skip |
No | - | Comma-separated list of Bandit IDs to ignore. |
โก Quick Start
Drop this snippet into your workflow:
steps:
- name: ๐ก๏ธ Security Audit
uses: carlos-camara/qa-hub-actions/security-audit@main
with:
target-path: "app/"
scan-dependencies: "true"
[View Full Wiki](https://carlos-camara.github.io/qa-hub-actions/actions/security-audit/)