GitHub Actions: Securing your Python Dependencies

A guide to scanning your GitHub repositories for Python dependency security vulnerabilities using GitHub Actions

This is a guide to setting up and configuring PyUp to scan your GitHub repositories for dependency security vulnerabilities using a custom GitHub Action. This enables you to configure security and compliance scans on your repositories on new commits, new branches, pull requests, and more.

You can set up PyUp to run security scans on your Python repositories using GitHub Actions.

Step 1: Get your PyUp API Key

To scan any systems for security vulnerabilities you first need a PyUp API key. You can create a PyUp account and get your API key here.

Step 2: Set up a GitHub Action workflow on your repository (If you don't have one already)

GitHub Actions are an easy and powerful way to run CI/CD processes on your codebases hosted on GitHub. Adding PyUp security scans to your repositories is as easy as adding a few lines of code to your Github Action workflow configuration file to install Safety (our command-line tool) and then run Safety.

We've created some full pipeline examples below if you don't have one set up yet. If you need help configuring your Python workflow, you can read more on getting startup with GitHub workflows in Python.

Step 3: Configure your GitHub workflow YAML file to run Safety scans

GitHub Actions are configured using YAML workflow files in a special .github/workflows/ folder. Here is an example YAML file that installs and runs Safety to scan your Python environment for security vulnerabilities.

# This workflow will install Python dependencies, run PyUp security scans on all dependencies that are installed into the environment.
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
# Saved to `.github/workflows/python-app.yml`

name: PyUp Security Scan

on:
  push: # Run on every push to any branch
  pull_request: # Run on new pull requests

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/[email protected]
    - name: Set up Python
      uses: actions/[email protected] # Setup Python
      with:
        python-version: "3.6" # Choose your appropriate version of python
    - name: Install dependencies
      # Upgrade pip, install safety, and install all of your requirements
      run: | 
        python -m pip install --upgrade pip 
        pip install safety
        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
    - name: Run Security check with PyUp
      env:
        SAFETY_API_KEY: ${{secrets.SAFETY_API_KEY}}
      # Run safety check using your API key. This will scan your python environment for all installed dependencies, including transitive dependencies
      run: safety check --key $SAFETY_API_KEY
      continue-on-error: false # Do not continue on error, we want to fail the action if safety returns a non zero exit code (a vulnerability has been found)

Your Action YAML file will likely end up running other tests and actions alongside running Safety. All you have to do to ensure that Safety is scanning your dependencies for security vulnerabilities is to ensure that the following code (script) is in your YAML file amongst your other tests and scripts that are running.

- name: Install dependencies
      # Upgrade pip, install safety, and install all of your requirements
      run: | 
        python -m pip install --upgrade pip 
        pip install safety
        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
    - name: Run Security check with PyUp
      env:
        SAFETY_API_KEY: ${{secrets.SAFETY_API_KEY}}
      # Run safety check using your API key. This will scan your python environment for all installed dependencies, including transitive dependencies
      run: safety check --key $SAFETY_API_KEY
      continue-on-error: false # Do not continue on error, we want to fail the action if safety returns a non zero exit code (a vulnerability has been found)

Final Step: Add your PyUp API Key as a GitHub repository secret

On your GitHub repository, navigate to Settings -> Secrets -> Actions, and add your PyUp API key as a secret that matches the variable name you've used in the workflow YAML file. Once added, it should look similar to the screenshot below:

You're done!

That's it! You now have a fully working GitHub Action that will run and scan your Python dependencies for security vulnerabilities on new pushes and pull requests, all powered by PyUp's premium vulnerability database.

If there is a vulnerability found Safety will return a non-zero exit code and fail the test. You can then see the pipeline's output on GitHub to see what Safety found and how to patch the vulnerabilities. Here is our example running on a new pull request:

Learn more about GitHub Actions, and PyUp's Safety CLI

GitHub Action Configuration
There are many more configurations on your Action. For example, you can set up this Action to only run on certain branches, or run when other conditions are met. You can also configure it to run periodically using a cron, so that your repository is scanned for security vulnerabilities every hour or every day, not just when new code is committed.

You can read more about GitHub actions on their documentation page.

PyUp's Safety Command-line Tool
These scans use PyUp's Safety Command-Line tool, which has many options and configurations to meet your needs. Instead of scanning your local environment after you've installed your dependencies, you can also configure it to scan specific requirements files, or output different formats, or even scan for license compliance issues.

You can read more about Safety and how to use it on its Github page.


Did this page help you?