Проверка безопасности #43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Проверка безопасности | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Еженедельная проверка безопасности | |
| - cron: "0 4 * * 1" | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Клонирование кода | |
| uses: actions/checkout@v5 | |
| - name: Настройка Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| cache: "pip" | |
| - name: Установка зависимостей | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install bandit safety | |
| - name: Запуск проверки безопасности Bandit | |
| run: | | |
| echo "Запуск проверки безопасности Bandit..." | |
| bandit -r . -f json -o bandit-report.json || true | |
| bandit -r . -f txt -o bandit-report.txt || true | |
| # Показываем результаты | |
| if [ -f bandit-report.txt ]; then | |
| echo "=== Отчет о безопасности Bandit ===" | |
| cat bandit-report.txt | |
| fi | |
| - name: Проверка известных уязвимостей | |
| run: | | |
| echo "Проверка известных уязвимостей..." | |
| safety check --json --output safety-report.json || true | |
| safety check --output safety-report.txt || true | |
| # Показываем результаты | |
| if [ -f safety-report.txt ]; then | |
| echo "=== Отчет об уязвимостях Safety ===" | |
| cat safety-report.txt | |
| fi | |
| - name: Загрузка отчетов безопасности | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: отчеты-безопасности | |
| path: | | |
| bandit-report.json | |
| bandit-report.txt | |
| safety-report.json | |
| safety-report.txt | |
| retention-days: 30 | |
| - name: Комментирование PR с результатами безопасности | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| let comment = '## 🔒 Результаты проверки безопасности\n\n'; | |
| // Результаты Bandit | |
| if (fs.existsSync('bandit-report.txt')) { | |
| const banditContent = fs.readFileSync('bandit-report.txt', 'utf8'); | |
| if (banditContent.trim()) { | |
| comment += '### 🚨 Проблемы безопасности Bandit\n\n'; | |
| comment += '```\n' + banditContent + '\n```\n\n'; | |
| } else { | |
| comment += '✅ Проблем безопасности Bandit не найдено\n\n'; | |
| } | |
| } | |
| // Результаты Safety | |
| if (fs.existsSync('safety-report.txt')) { | |
| const safetyContent = fs.readFileSync('safety-report.txt', 'utf8'); | |
| if (safetyContent.trim()) { | |
| comment += '### ⚠️ Известные уязвимости\n\n'; | |
| comment += '```\n' + safetyContent + '\n```\n\n'; | |
| } else { | |
| comment += '✅ Известных уязвимостей не найдено\n\n'; | |
| } | |
| } | |
| comment += '---\n*Этот отчет был сгенерирован автоматически GitHub Actions*'; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: comment | |
| }); |