sasaasgd

.github/workflows/dockerfile.yml

@@ -0,0 +1,24 @@
+name: Dockerfile
+
+# Relevant to events - https://help.github.com/en/actions/automating-your-workflow-with-github-actions/events-that-trigger-workflows
+on: 
+  pull_request:
+    types: [synchronize, opened, reopened, ready_for_review]
+    paths:
+    - '**.Dockerfile'
+
+jobs:
+  # Linting
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: docker://hadolint/hadolint:latest
+      - uses: actions/checkout@v2
+      # - name: Installing dependencies..
+      #   run: if ! apt list --installed | grep -qP "^hadolint -"; then apt install -y hadolint; fi
+      - name: Linting..
+        run: |
+          cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.Dockerfile$'); do
+            printf 'checking dockerfile %s using hadolint\n' "$file"
+            hadolint "$file"
+          done

.github/workflows/python.yml

@@ -58,7 +58,7 @@ jobs:
         pip install pytest
         # FIXME: False triggers on files which names continues after set extension
         cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do pytest "$file"; done
-  lint-window-python-3_5:
+  lint-windows-python-3_5:
     runs-on: windows-latest
     steps:
     - uses: actions/checkout@v2
@@ -82,6 +82,27 @@ jobs:
         pip install pytest
         # FIXME: False triggers on files which names continues after set extension
         cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do pytest "$file"; done
+  security-check-python-3_5:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Configuring backend..
+      uses: actions/setup-python@v1
+      with:
+        python-version: 3.5
+    - name: Installing python dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+    - name: Installing linting dependencies
+      run: |
+        if apt list --installed | grep -qP "^bandit -"; then sudo apt install -y bandit; fi
+    - name: Linting..
+      run: |
+        cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do
+            printf 'checking python file %s for security issues\n' "$file"
+            bandit "$file"
+          done
 
   # Linting 3.6
   lint-linux-python-3_6:
@@ -156,6 +177,27 @@ jobs:
         pip install pytest
         # FIXME: False triggers on files which names continues after set extension
         cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do pytest "$file"; done
+  security-check-python-3_6:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Configuring backend..
+      uses: actions/setup-python@v1
+      with:
+        python-version: 3.6
+    - name: Installing python dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+    - name: Installing linting dependencies
+      run: |
+        if apt list --installed | grep -qP "^bandit -"; then sudo apt install -y bandit; fi
+    - name: Linting..
+      run: |
+        cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do
+            printf 'checking python file %s for security issues\n' "$file"
+            bandit "$file"
+          done
   
   # Linting 3.7
   lint-linux-python-3_7:
@@ -230,6 +272,27 @@ jobs:
         pip install pytest
         # FIXME: False triggers on files which names continues after set extension
         cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do pytest "$file"; done
+  security-check-python-3_7:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Configuring backend..
+      uses: actions/setup-python@v1
+      with:
+        python-version: 3.7
+    - name: Installing python dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+    - name: Installing linting dependencies
+      run: |
+        if apt list --installed | grep -qP "^bandit -"; then sudo apt install -y bandit; fi
+    - name: Linting..
+      run: |
+        cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do
+            printf 'checking python file %s for security issues\n' "$file"
+            bandit "$file"
+          done
 
   # Linting 3.8
   lint-linux-python-3_8:
@@ -303,4 +366,25 @@ jobs:
       run: |
         pip install pytest
         # FIXME: False triggers on files which names continues after set extension
-        cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do pytest "$file"; done
+        cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do pytest "$file"; done
+  security-check-python-3_8:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Configuring backend..
+      uses: actions/setup-python@v1
+      with:
+        python-version: 3.8
+    - name: Installing python dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+    - name: Installing linting dependencies
+      run: |
+        if apt list --installed | grep -qP "^bandit -"; then sudo apt install -y bandit; fi
+    - name: Linting..
+      run: |
+        cd "$GITHUB_WORKSPACE" && for file in $(git ls-tree --name-only -r ${{ github.sha }} | grep '\.py$'); do
+            printf 'checking python file %s for security issues\n' "$file"
+            bandit "$file"
+          done

.hadolint.yml

@@ -0,0 +1,5 @@
+trustedRegistries:
+  - docker.io
+  - debian
+  - gitpod
+  - hadolint

bandit.yml

@@ -0,0 +1,2 @@
+# Configuration file for bandit (security check for python)
+