GitHub Actions

Introduction to GitHub Actions

GitHub Actions is a powerful automation tool that integrates directly with GitHub repositories to allow you to automate your workflow by setting up a series of commands (actions) that execute in response to specific GitHub events like a push or a pull request. These actions can be used for a variety of tasks, such as testing code, deploying applications and, in the case of Safety, scanning for vulnerabilities.

The Safety CLI Scanner GitHub Action enables automated scanning of your projects for vulnerabilities directly within your GitHub workflow.

Link to Safety GitHub Action: https://github.com/marketplace/actions/pyupio-safety-action

Setting Up the Safety GitHub Action

Step 1: Create a Safety Account and Obtain an API Key

To utilize the Safety CLI scanner, you first need to create a Safety account.
Once your account is set up, you can obtain your API key from your Safety Dashboard. This key will be used to authenticate your GitHub Action with Safety's services.

Step 2: Configure the GitHub Secret

After obtaining your Safety API key, go to your GitHub repository's settings.
Navigate to the 'Secrets' section and add a new secret.
Name the secret (e.g., SAFETY_API_KEY) and paste your Safety API key as the value.

Step 3: Set Up the Workflow File

You may need to create a Personal Access Token (PAT) with workflow permissions in order to push a workflow file to your repo. To do so, please refer to this guide.
In your repository, create a new file in the .github/workflows directory. You can name this file according to its purpose (e.g., safety_scan.yml).
Add the following content to your workflow file:

name: Example workflow for Python using Safety Action
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@main
      - name: Run Safety CLI to check for vulnerabilities
        uses: pyupio/safety-action@v1
        with:
          api-key: ${{ secrets.SAFETY_API_KEY }}

Step 4: Activate the Workflow

Commit and push the workflow file to your repository.
The Safety CLI Scanner Action will run automatically on each push, scanning your Python project for any vulnerabilities.

Additional Configurations (Optional)

You can customize the behaviour of the Safety Action by using various properties.
For instance, to continue the workflow even if vulnerabilities are found, set the continue-on-error property to true.
You can also add arguments like --detailed-output to get more information from the scan:

name: Example workflow customizing the Safety Action
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@main
      - name: Run Safety CLI to check for vulnerabilities
        uses: pyupio/safety-action@v1
        with:
          api-key: ${{ secrets.SAFETY_API_KEY }}
          continue-on-error: yes # Do not fail this action if vulnerabilities are found
          args: --detailed-output # To always see detailed output from this action

Available Properties

Property	Default	Description
api-key		Your Safety API Key
continue-on-error	false	Set to yes/true to always return a zero (success/pass) exit code and prevent the action from failing if vulnerabilities are detected.
output-format	screen	Options are: screen, json, html, spdx, none
args		Override the default arguments to Safety CLI 3.

Property

Default

Description

api-key

Your Safety API Key

continue-on-error

false

Set to yes/true to always return a zero (success/pass) exit code and prevent the action from failing if vulnerabilities are detected.

output-format

screen

Options are: screen, json, html, spdx, none

args