PLC/vPLC>> django-security-check>> 返回
项目作者: victoriadrake

项目描述 :
:octocat: GitHub Action helps you continuously monitor and fix common security vulnerabilities in your Django application.
高级语言: Shell
项目地址: git://github.com/victoriadrake/django-security-check.git
创建时间: 2020-06-17T23:43:13Z
项目社区:https://github.com/victoriadrake/django-security-check
开源协议:MIT License
下载


Django Security Check

Helps you continuously monitor and fix common security vulnerabilities in your Django application.

If you are thinking of using this action, congratulations. You’re well on your way to building a secure Django project!

Use this in your workflow

You can use this action in a workflow file to continuously run Django’s check --deploy against your production Django application configuration. Here is an example workflow that runs Django Security Check on any push event to the master branch. See below for env instructions.

  1. name: Django Security Check
  3. on:
  4.   push:
  5.     branches:
  6.       - master
  8. env:
  9.   SECRET_KEY: ${{ secrets.SECRET_KEY }}
  10.   FAIL_LEVEL: WARNING
  11.   ENV_TYPE: venv
  12.   DEP_PATH: app/requirements.txt
  13.   APP_PATH: app/
  14.   EXTRA_ARGS: "--settings=app.settings.production"
  16. jobs:
  17.   build:
  19.     runs-on: ubuntu-latest
  21.     steps:
  22.       - name: Check out master
  23.         uses: actions/checkout@master
  24.         with:
  25.           fetch-depth: 1
  26.       - name: Scan Django settings for security issues
  27.         id: check
  28.         uses: victoriadrake/django-security-check@master
  29.       - name: Upload output
  30.         uses: actions/upload-artifact@v2
  31.         with:
  32.           name: security-check-output
  33.           path: output.txt

View results

In the example workflow file above, you can view results in the Action workflow run, or download them as an artifact. Check out the repositories that use this action for some examples.

You can also add the check output to a comment, for example, if the workflow was triggered by a pull request. To do this, set an output parameter and use actions/github-script. Here’s an example workflow you can copy that runs on pull requests:

  1. name: Django Security Check
  3. on: pull_request_target
  5. env:
  6.   SECRET_KEY: ${{ secrets.SECRET_KEY }}
  7.   FAIL_LEVEL: WARNING
  8.   ENV_TYPE: pipenv
  10. jobs:
  11.   build:
  13.     runs-on: ubuntu-latest
  15.     steps:
  16.       - name: Check out master
  17.         uses: actions/checkout@master
  18.         with:
  19.           fetch-depth: 1
  20.       - name: Scan Django settings for security issues
  21.         id: check
  22.         uses: victoriadrake/django-security-check@master
  23.       - id: results
  24.         run: |
  25.           OUTPUT=$(cat output.txt)
  26.           FORMATTED=${OUTPUT//$'\n'/%0A}
  27.           echo ::set-output name=file::**Django Security Check identified issues:** %0A$FORMATTED
  28.       - name: Comment with output
  29.         uses: actions/github-script@v3
  30.         with:
  31.           script: |
  32.             github.issues.createComment({
  33.               issue_number: ${{ github.event.number }},
  34.               owner: context.repo.owner,
  35.               repo: context.repo.repo,
  36.               body: `${{ steps.results.outputs.file }}`
  37.             })

This produces:

Screenshot of security check output in comment

Helpful instructions for remediation are provided by Django in the output.

Setting the env variables

There must be a SECRET_KEY value available in order for Django to run the checks. Otherwise, an ImproperlyConfigured exception is raised. If you don’t deploy from your repository, you may use a dummy value. Set a repository secret with the name of SECRET_KEY and include this as an environment variable as shown in the examples above.

The FAIL_LEVEL environment variable is the minimum severity finding that will cause the check to fail. Choices are CRITICAL, ERROR, WARNING, INFO, and DEBUG. If not set, it defaults to ERROR.

Depending on what you’ve set as a FAIL_LEVEL, this action may return results without a failed check. For example, the default ERROR level may still return WARNING results, although the check is a pass. To fail the check on WARNING results, set FAIL_LEVEL to WARNING, INFO, or DEBUG.

This action currently supports use of Pipenv or venv.

If you are using Pipenv, set ENV_TYPE: pipenv. Set the DEP_PATH variable to point to the directory containing your Pipfile. For example, if you have project-root/app/Pipfile, set DEP_PATH: app/. If you have project-root/Pipfile, you can leave this unset.

If you are using venv, set ENV_TYPE: venv as above. Set the DEP_PATH variable to the path of your dependencies file from the root, including the file name, as above. This is usually called requirements.txt, but may be different in your application.

Set the APP_PATH to the location of your manage.py file. For example, if you have project-root/application/manage.py, then set APP_PATH: application/. If you have project-root/manage.py, you can leave this unset.

If you are not using a virtual environment, shame on you. This action will still try to help you by installing Django. Ensure you set APP_PATH to the directory of your manage.py file.

You can use EXTRA_ARGS to pass any additional desired arguments, such as a settings module.

Workflow customization

See full instructions for Configuring and managing workflows.

For help editing the YAML file, see Workflow syntax for GitHub Actions.