diff --git a/.github/workflows/socket-basics.yml b/.github/workflows/socket-basics.yml new file mode 100644 index 0000000..17d85f9 --- /dev/null +++ b/.github/workflows/socket-basics.yml @@ -0,0 +1,14 @@ +name: Socket Basics Security Scan + +on: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + socket-basics-security-scan: + # We intentionally run this shared action from @main, not from a pinned sha + # this is because we control the shared-actions repo, so there is not a significant risk of malicious changes being pushed. + # Plus, the shared action does use pinned dependencies, and so will be updated fairly often. When we do that, we do not + # want to have to update the sha in every repo that uses this shared action, before such updates apply. + uses: ynab/shared-actions/.github/workflows/socket-basics.yml@main + secrets: inherit diff --git a/.gitignore b/.gitignore index 65b06b9..fc75583 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,5 @@ target/ # Ipython Notebook .ipynb_checkpoints +.socket-scans/ +.socket.facts.json diff --git a/.socket-basics.json b/.socket-basics.json new file mode 100644 index 0000000..fb6cf72 --- /dev/null +++ b/.socket-basics.json @@ -0,0 +1,3 @@ +{ + "python_disabled_rules": "python-hardcoded-secret" +}