Skip to content

Code Analysis

Code Analysis #121

Workflow file for this run

name: Code Analysis
on:
schedule:
- cron: '05 1 * * 3'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ "python" ]
python-version: [ "3.10", "3.11", "3.12.0-rc.3" ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
cache: pip
- name: Install dependencies
run: |
echo "::group::Pip dependencies"
python -m pip install --upgrade pip setuptools wheel
python -m pip install --upgrade -r requirements-dev.txt -r requirements.txt
python -m pip install .
echo "::endgroup::"
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
setup-python-dependencies: false
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
- name: Install snyk to check for vulnerabilities
uses: snyk/actions/setup@master
- name: Run Snyk over the runtime dependencies
run: snyk test --sarif-file-output=snyk-requirements-${{ matrix.python-version }}.sarif --command=python --file=requirements.txt --package-manager=pip --skip-unresolved
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload Snyk runtime dependencies scan result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-requirements-${{ matrix.python-version }}.sarif
category: requirements-runtime-${{ matrix.python-version }}
- name: Run Snyk over the development dependencies
run: snyk test --sarif-file-output=snyk-requirements-dev-${{ matrix.python-version }}.sarif --command=python --file=requirements-dev.txt --package-manager=pip --skip-unresolved
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload Snyk development dependencies scan result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-requirements-dev-${{ matrix.python-version }}.sarif
category: requirements-dev-${{ matrix.python-version }}
- name: Run pip audit
uses: pypa/[email protected]
continue-on-error: true
with:
inputs: requirements.txt requirements-dev.txt