code_scan.yml

name: Code Scanning

on:
  workflow_dispatch: # run on request (no need for PR)
  schedule:
    # every UTC 6PM from Mon to Fri
    - cron: "0 18 * * 1-5"

jobs:
  Bandit:
    runs-on: ubuntu-20.04
    steps:
      - name: CHECKOUT REPOSITORY
        uses: actions/checkout@v3
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.10"
      - name: Install dependencies
        run: python -m pip install tox
      - name: Bandit Scanning
        run: tox -e bandit-scan
      - name: UPLOAD BANDIT REPORT
        uses: actions/upload-artifact@v3
        with:
          name: bandit-report
          path: .tox/bandit-report.txt
        # Use always() to always run this step to publish scan results when there are test failures
        if: ${{ always() }}
  Snyk-scan:
    runs-on: [self-hosted, linux, x64]
    permissions:
      security-events: write
    steps:
      - name: CHECKOUT REPOSITORY
        uses: actions/checkout@v3
      - name: Install Tox
        run: python -m pip install tox
      - name: SNYK SCANNING
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          SNYK_ENDPOINT: ${{ secrets.SNYK_ENDPOINT }}
        continue-on-error: true
        run: tox -e snyk-scan
      - name: UPLOAD TO SECURITY ADVISORIES
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: .tox/snyk.sarif
      - name: UPLOAD SNYK REPORT
        uses: actions/upload-artifact@v3
        with:
          name: snyk-report
          path: .tox/snyk.html
        # Use always() to always run this step to publish scan results when there are test failures
        if: ${{ always() }}