Merge pull request #7219 from freedomofpress/gha-static-security

Migrate static-analysis-and-no-known-cves to GitHub Actions
freedomofpress · Aug 15, 2024 · b29ac77 · b29ac77
2 parents 97046f5 + 8ba80bd
commit b29ac77
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 39 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -230,37 +230,6 @@ jobs:
       - store_artifacts:
           path: ~/project/test-results
 
-  static-analysis-and-no-known-cves:
-    machine:
-      image: ubuntu-2004:current
-      enabled: true
-    environment:
-      DOCKER_API_VERSION: 1.24
-      BASE_OS: focal
-    steps:
-      - checkout
-      - *rebaseontarget
-      - *createcachedir
-      - *restorecache
-      - *loadimagelayers
-      - *dockerimagebuild
-      - *saveimagelayers
-      - *savecache
-
-      - run:
-          name: Check Python dependencies for CVEs
-          command: |
-            fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell \
-                  bash -c "pip3 install -U -q --upgrade safety && make -C .. safety"
-
-      - run:
-          name: Run static security testing on source code with semgrep
-          command: |
-            fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell \
-                  bash -c "pip3 install -U -q --upgrade pip && pip3 install -U -q --upgrade semgrep && make -C .. semgrep"
-
   staging-test-with-rebase:
     machine:
       image: ubuntu-2004:current
@@ -319,12 +288,6 @@ workflows:
           context:
             - circleci-slack
           <<: *slack-fail-post-step
-      - static-analysis-and-no-known-cves:
-          requires:
-            - lint
-          context:
-            - circleci-slack
-          <<: *slack-fail-post-step
       - staging-test-with-rebase:
           filters:
             branches:
@@ -351,7 +314,6 @@ workflows:
                 - develop
     jobs:
       - staging-test-with-rebase
-      - static-analysis-and-no-known-cves
 
   weekly:
     triggers:

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,5 +1,8 @@
-name: Security (cron)
+name: Security
 on:
+  push:
+  pull_request:
+  merge_group:
   schedule:
     - cron: '0 3 * * *'
 
@@ -13,3 +16,20 @@ jobs:
       - name: Check Rust dependencies
         run: |
           make rust-audit
+
+  static-analysis-and-no-known-cves:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: |
+          pip install safety semgrep
+      - name: Check Python dependencies for CVEs
+        run: |
+          make safety
+      - name: Run static security testing on source code with semgrep
+        run: |
+          make semgrep