65 lines
1.7 KiB
YAML
65 lines
1.7 KiB
YAML
name: Skill Security Scan (Full)
|
|
|
|
# Scans EVERY skill component with SkillSpector (NVIDIA, Apache-2.0) static
|
|
# analysis. Runs weekly and on demand. Reports only — never blocks. Uploads
|
|
# an aggregated SARIF to code scanning and a Markdown summary to the run.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '0 6 * * 1' # Mondays 06:00 UTC
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
skill-scan-all:
|
|
name: SkillSpector (all skills)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 90
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Setup Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install SkillSpector
|
|
run: pip install "git+https://github.com/NVIDIA/skillspector.git@main"
|
|
|
|
- name: Run SkillSpector on all skills
|
|
id: scan
|
|
continue-on-error: true
|
|
run: |
|
|
python scripts/skillspector_scan.py \
|
|
--all \
|
|
--threshold 50 \
|
|
--output-md skillspector-report.md \
|
|
--output-sarif skillspector.sarif
|
|
|
|
- name: Publish summary
|
|
if: always()
|
|
run: cat skillspector-report.md >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
- name: Upload report artifacts
|
|
if: always()
|
|
uses: actions/upload-artifact@v7
|
|
with:
|
|
name: skillspector-full-report
|
|
path: |
|
|
skillspector-report.md
|
|
skillspector.sarif
|
|
retention-days: 90
|
|
|
|
- name: Upload SARIF to code scanning
|
|
if: always()
|
|
continue-on-error: true
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: skillspector.sarif
|
|
category: skillspector-full
|