| name: Dependency Check | |
| on: | |
| schedule: | |
| # Run weekly on Sundays at 2 AM UTC | |
| - cron: '0 2 * * 0' | |
| workflow_dispatch: | |
| jobs: | |
| dependency-scan: | |
| name: Dependency Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.11" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install safety pip-audit | |
| - name: Check for known vulnerabilities | |
| run: | | |
| echo "🔍 Scanning dependencies for known vulnerabilities..." | |
| safety check --json --output safety-report.json || true | |
| pip-audit --format=json --output=pip-audit-report.json || true | |
| - name: Generate dependency report | |
| run: | | |
| echo "📊 Generating dependency report..." | |
| pip list --format=json > pip-list.json | |
| echo "## 🔒 Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "- Safety scan completed" >> $GITHUB_STEP_SUMMARY | |
| echo "- Pip-audit scan completed" >> $GITHUB_STEP_SUMMARY | |
| echo "- Reports generated in artifacts" >> $GITHUB_STEP_SUMMARY | |
| - name: Upload reports | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: dependency-reports | |
| path: | | |
| safety-report.json | |
| pip-audit-report.json | |
| pip-list.json | |
| retention-days: 30 |