fix: upload audit log as artifact on failure
This commit is contained in:
root
parent
106bc8920c
commit
91eec1ae2d
@ -93,15 +93,24 @@ jobs:
|
|||||||
uv pip compile pyproject.toml --no-dev -o requirements-prod.txt
|
uv pip compile pyproject.toml --no-dev -o requirements-prod.txt
|
||||||
uv run pip-audit --format json --output audit-results.json -r requirements-prod.txt || true
|
uv run pip-audit --format json --output audit-results.json -r requirements-prod.txt || true
|
||||||
|
|
||||||
# Parse and display results
|
# Check if vulnerabilities found
|
||||||
if [ -s audit-results.json ] && [ "$(cat audit-results.json)" != "[]" ]; then
|
if [ -s audit-results.json ] && [ "$(cat audit-results.json)" != "[]" ]; then
|
||||||
echo "❌ Found vulnerabilities in production dependencies:"
|
echo "❌ Found vulnerabilities in production dependencies"
|
||||||
uv run python -c 'import json; data=json.load(open("audit-results.json")); [print(f" - {v.get(\"name\", \"unknown\")} {v.get(\"version\", \"\")}: {v.get(\"id\", \"\")}") for v in data]'
|
echo "📄 Audit log uploaded as artifact 'security-audit'"
|
||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
echo "✅ No vulnerabilities in production dependencies"
|
echo "✅ No vulnerabilities in production dependencies"
|
||||||
|
rm -f audit-results.json
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
- name: Upload audit log
|
||||||
|
uses: actions/upload-artifact@v3
|
||||||
|
if: failure()
|
||||||
|
with:
|
||||||
|
name: security-audit
|
||||||
|
path: audit-results.json
|
||||||
|
retention-days: 7
|
||||||
|
|
||||||
- name: Check for secrets
|
- name: Check for secrets
|
||||||
run: |
|
run: |
|
||||||
if grep -r "password\s*=" --include="*.py" src/; then
|
if grep -r "password\s*=" --include="*.py" src/; then
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user