Skip to content

canonical/starflow

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.github
.github
 
 
snap-publish
snap-publish
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

starflow

Starcraft team GHA Workflows

Reusable Workflows

Some of these automations are provided as Reusable workflows. For these workflows, you can embed them in a workflow you run at the job level. Examples are provided below.

Python security scanner

The Python security scanner workflow uses several tools (trivy, osv-scanner) to scan a Python project for security issues. It does the following:

  1. Creates a wheel of the project.
  2. Exports a uv.lock file (if present in the project) as two requirements files: a. requirements.txt with no extras b. requirements-all.txt with all available extras

If there are any existing requirements*.txt files in your project, it will scan those below too.

With Trivy, it:

  1. Scans the requirements files
  2. Scans the wheel file(s)
  3. Scans the project directory
  4. Installs each combination of (requirements, wheel) in a virtual environment and scans that environment.

With OSV-scanner it:

  1. Scans the requirements files
  2. Scans the project directory

Usage

An example workflow for your own Python project that will use this workflow:

name: Security scan
on:
  pull_request:
  push:
    branches:
      - main
      - hotfix/*

jobs:
  python-scans:
    name: Scan Python project
    uses: canonical/starflow/.github/workflows/scan-python.yaml@main
    with:
      # Additional packages to install on the Ubuntu runners for building
      packages: python-apt-dev cargo
      # Additional arguments to `find` when finding requirements files.
      # This example ignores 'requirements-noble.txt'
      requirements-find-args: "! -name requirements-noble.txt"
      # Additional arguments to pass to osv-scanner.
      # This example adds configuration from your project.
      osv-extra-args: "--config=source/osv-scanner.toml"
      # Use the standard extra args and ignore spread tests
      trivy-extra-args: '--severity HIGH,CRITICAL --ignore-unfixed --skip-dirs "tests/spread/**"'

Go security scanner

The Go security scanner workflow uses several tools (trivy, osv-scanner) to scan a Go project for security issues.

Usage

An example workflow for your own Go project that will use this workflow:

name: Security scan
on:
  pull_request:
  push:
    branches:
      - main
      - hotfix/*

jobs:
  go-scans:
    name: Scan Go project
    uses: canonical/starflow/.github/workflows/scan-golang.yaml@main
    with:
      # Additional packages to install on the Ubuntu runners for building
      packages: protoc-gen-go-1-3
      # Additional arguments to pass to osv-scanner.
      # This example adds configuration from your project.
      osv-extra-args: "--config=.osv-scanner.toml"
      # Use the standard extra args and ignore spread tests
      trivy-extra-args: '--skip-dirs "tests/spread/**"'

About

Starcraft team GHA Workflows

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages