Safety 2 (formerly PyUp)
  • Welcome to Safety 2
  • 2023 Rebrand from PyUp to Safety Cybersecurity
  • Safety 2.x Basics
    • Getting started with Safety 2.x
    • Running a Safety Scan
    • License Scanning
  • Safety CLI 2 Scanner
    • Installation & Quick Start - Safety 2
    • Docker Containers
    • Inputs
    • Output Formats
    • Policy File
    • Applying Security Updates to Requirements Files
    • Exit Codes
    • Help and Support
    • Safety v1 to v2 Breaking Changes
  • Securing Git SCM Pipelines
    • Securing Git Repositories
    • GitHub Actions
      • Advanced Options: GitHub Actions
    • BitBucket Pipelines
    • Gitlab Pipelines
    • GitHub Integration
    • Scanning Development Environments with Git Post-Commit Hook
  • Troubleshooting
    • Invalid API Key Error
Powered by GitBook
On this page
  • Scan Modes
  • Running without failing the pipeline
  • Action options
  1. Securing Git SCM Pipelines
  2. GitHub Actions

Advanced Options: GitHub Actions

Scan Modes

By default, the action tries to autodetect everything. This can fail in more complicated setups (such as monorepos). Safety Action supports 3 scan modes, which can be mixed and matched depending on your exact project structure.

Scanning a built Docker image

Safety Action can scan into any Docker image that exists on the action runner. This is most useful when you're using GitHub workflows to build and publish Docker images as part of your pipeline.

To use this mode, set scan to docker. You can also specify an image to scan using docker-image. This mode requires /bin/sh to be present in the image you're scanning, as well as the command python -m pip list --format=freeze to be runnable:

YAML

env:
  IMAGE_URL: ghcr.io/example/example:${{ github.sha }}

jobs:
  safety:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Build image
        run: DOCKER_BUILDKIT=1 docker buildx build -t ${{ env.IMAGE_URL }} .

      # Scan the built image using Safety
      - uses: pyupio/safety@2.3.4
        with:
          api-key: ${{secrets.SAFETY_API_KEY}}
          scan: 'docker'
          docker-image: ${{ env.IMAGE_URL }}

Scanning the workflow environment

Safety Action can scan your current workflow environment. This is most useful when you're also using actions/setup-python and perhaps packaging up a wheel, or running more complex builds using setup.py.

This type of scan is also the most comprehensive and secure since it most accurately scans the real-world system that you are deploying into production. Python dependency installations are often not deterministic, and even then, the outcome can change across even slightly different versions of Python or the underlying system details.

To use this mode, set thescan to env. No options are available - if pythonLocation has been set by actions/setup-python, this Python environment will automatically be scanned, otherwise the environment of the worker image (eg, ubuntu-latest will be scanned):

YAML

jobs:
  safety:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - uses: actions/setup-python@v3
        with:
          python-version: '3.10'
          architecture: 'x64'

      # Replace with the steps required to setup & install 
      # your Python system and dependencies
      - run: python -m pip install requirements.txt

      # Scans the Python env setup by setup-python.
      - uses: pyupio/safety@2.3.4
        with:
          api-key: ${{secrets.SAFETY_API_KEY}}
          scan: 'env'

Scanning a requirements file

Safety Action can scan a requirements.txt or Poetry / Pipfile lockfile in your repo. Scanning a file is not recommended unless you're using a lock file that specifies all dependencies, and are confident that no other packages are installed in the environment.

To use this mode, set scan to file. You can also specify a path to the requirements file to scan using requirements:

YAML

jobs:
  safety:
    runs-on: ubuntu-latest
    steps:
      # Scans the root poetry.lock in the repo
      - uses: pyupio/safety@2.3.4
        with:
          api-key: ${{secrets.SAFETY_API_KEY}}
          scan: 'file'
          requirements: 'poetry.lock'

      # Scans Pipfile.lock under services/microservice-example. Useful for monorepo setups.
      - uses: pyupio/safety@2.3.4
        with:
          api-key: 'your-pyup-api-key-here'
          scan: 'file'
          requirements: 'services/microservice-example/Pipfile.lock'

Running without failing the pipeline

It's possible to run the Safety action, without failing the pipeline if a vulnerability is found, but checking this status in a next step:

YAML

jobs:
  insecure-test:
    runs-on: ubuntu-latest

    steps:
      - uses: pyupio/safety@2.3.4
        id: scan-1
        continue-on-error: true
        with:
          api-key: ${{secrets.SAFETY_API_KEY}}

      - if: steps.scan-1.outcome != 'failure'
        run: echo 'Safety failed to run, but the next step in the pipeline continued.' && exit 1

Action options

Option
Default
Required?
Description

api-key

N/A

Yes

Your PyUp API key

scan

auto

No

Scan mode to use. One of auto / docker / env / file

docker-image

Autodetects the last built, tagged image on the runner

No

Tag or hash of the Docker Image to scan.

requirements

poetry.lock followed byPipfile.lock followed by requirements.txt (first match wins)

No

Path of requirements file to scan

continue-on-error

No

No

By default, Safety will exit with a non-zero exit code if it detects any vulnerabilities. Set this to non-empty value to not error out.

output-format

'screen'

No

Output format for returned data. One of screen / text / json / bare

args

''

No

Any additional CLI arguments to pass to safety

PreviousGitHub ActionsNextBitBucket Pipelines

Last updated 1 year ago

Environment scans are still completely configurable using , or via GitHub Action variables.

Safety CLI: Policy file