├── Dockerfile ├── LICENSE ├── README.md ├── action.yml ├── entrypoint.sh └── screenshot.png /Dockerfile: -------------------------------------------------------------------------------- 1 | # Container image that runs your code 2 | FROM python:3-buster 3 | 4 | # Copies your code file from your action repository to the filesystem path `/` of the container 5 | COPY entrypoint.sh /entrypoint.sh 6 | 7 | # Code file to execute when the docker container starts up (`entrypoint.sh`) 8 | ENTRYPOINT ["/entrypoint.sh"] 9 | 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | Copyright (c) 2020-2023 Victoria Drake 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy 5 | of this software and associated documentation files (the "Software"), to deal 6 | in the Software without restriction, including without limitation the rights 7 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | copies of the Software, and to permit persons to whom the Software is 9 | furnished to do so, subject to the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included in all 12 | copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 17 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 20 | SOFTWARE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Django Security Check 2 | 3 | Helps you continuously monitor and fix common security vulnerabilities in your [Django](https://www.djangoproject.com/) application. 4 | 5 | If you are thinking of using this action, congratulations. You're well on your way to building a secure Django project! 6 | 7 | ## Use this in your workflow 8 | 9 | You can use this action in a workflow file to continuously run [Django's `check --deploy`](https://docs.djangoproject.com/en/3.0/ref/django-admin/#check) against your production Django application configuration. Here is an example workflow that runs Django Security Check on any `push` event to the `master` branch. See [below for `env` instructions](https://github.com/victoriadrake/django-security-check#setting-the-env-variables). 10 | 11 | ```yml 12 | name: Django Security Check 13 | 14 | on: 15 | push: 16 | branches: 17 | - master 18 | 19 | env: 20 | SECRET_KEY: ${{ secrets.SECRET_KEY }} 21 | FAIL_LEVEL: WARNING 22 | ENV_TYPE: venv 23 | DEP_PATH: app/requirements.txt 24 | APP_PATH: app/ 25 | EXTRA_ARGS: "--settings=app.settings.production" 26 | 27 | jobs: 28 | build: 29 | 30 | runs-on: ubuntu-latest 31 | 32 | steps: 33 | - name: Check out master 34 | uses: actions/checkout@master 35 | with: 36 | fetch-depth: 1 37 | - name: Scan Django settings for security issues 38 | id: check 39 | uses: victoriadrake/django-security-check@master 40 | - name: Upload output 41 | uses: actions/upload-artifact@v2 42 | with: 43 | name: security-check-output 44 | path: output.txt 45 | ``` 46 | 47 | ## View results 48 | 49 | In the example workflow file above, you can view results in the Action workflow run, or download them as an [artifact](https://docs.github.com/en/actions/configuring-and-managing-workflows/persisting-workflow-data-using-artifacts). Check out the [repositories that use this action](https://github.com/victoriadrake/django-security-check/network/dependents) for some examples. 50 | 51 | You can also add the check output to a comment, for example, if the workflow was triggered by a pull request. To do this, [set an output parameter](https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-output-parameter) and use `actions/github-script`. Here's an example workflow you can copy that runs on pull requests: 52 | 53 | ```yml 54 | name: Django Security Check 55 | 56 | on: pull_request_target 57 | 58 | env: 59 | SECRET_KEY: ${{ secrets.SECRET_KEY }} 60 | FAIL_LEVEL: WARNING 61 | ENV_TYPE: pipenv 62 | 63 | jobs: 64 | build: 65 | 66 | runs-on: ubuntu-latest 67 | 68 | steps: 69 | - name: Check out master 70 | uses: actions/checkout@master 71 | with: 72 | fetch-depth: 1 73 | - name: Scan Django settings for security issues 74 | id: check 75 | uses: victoriadrake/django-security-check@master 76 | - id: results 77 | run: | 78 | OUTPUT=$(cat output.txt) 79 | FORMATTED=${OUTPUT//$'\n'/%0A} 80 | echo ::set-output name=file::**Django Security Check identified issues:** %0A$FORMATTED 81 | - name: Comment with output 82 | uses: actions/github-script@v3 83 | with: 84 | script: | 85 | github.issues.createComment({ 86 | issue_number: ${{ github.event.number }}, 87 | owner: context.repo.owner, 88 | repo: context.repo.repo, 89 | body: `${{ steps.results.outputs.file }}` 90 | }) 91 | ``` 92 | 93 | This produces: 94 | 95 | ![Screenshot of security check output in comment](screenshot.png) 96 | 97 | Helpful instructions for remediation are provided by Django in the output. 98 | 99 | ### Setting the `env` variables 100 | 101 | There must be a `SECRET_KEY` value available in order for Django to run the checks. Otherwise, an `ImproperlyConfigured` exception is raised. If you don't deploy from your repository, you may use a dummy value. [Set a repository secret](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) with the name of `SECRET_KEY` and include this as an environment variable as shown in the examples above. 102 | 103 | The `FAIL_LEVEL` environment variable is the minimum severity finding that will cause the check to fail. Choices are `CRITICAL`, `ERROR`, `WARNING`, `INFO`, and `DEBUG`. If not set, it defaults to `ERROR`. 104 | 105 | Depending on what you've set as a `FAIL_LEVEL`, this action may return results without a failed check. For example, the default `ERROR` level may still return `WARNING` results, although the check is a pass. To fail the check on `WARNING` results, set `FAIL_LEVEL` to `WARNING`, `INFO`, or `DEBUG`. 106 | 107 | This action currently supports use of [Pipenv](https://pipenv.pypa.io/en/latest/) or [`venv`](https://docs.python.org/3/library/venv.html#module-venv). 108 | 109 | If you are using Pipenv, set `ENV_TYPE: pipenv`. Set the `DEP_PATH` variable to point to the directory containing your `Pipfile`. For example, if you have `project-root/app/Pipfile`, set `DEP_PATH: app/`. If you have `project-root/Pipfile`, you can leave this unset. 110 | 111 | If you are using `venv`, set `ENV_TYPE: venv` as above. Set the `DEP_PATH` variable to the path of your dependencies file from the root, including the file name, as above. This is usually called `requirements.txt`, but may be different in your application. 112 | 113 | Set the `APP_PATH` to the location of your `manage.py` file. For example, if you have `project-root/application/manage.py`, then set `APP_PATH: application/`. If you have `project-root/manage.py`, you can leave this unset. 114 | 115 | If you are not using a virtual environment, shame on you. This action will still try to help you by installing Django. Ensure you set `APP_PATH` to the directory of your `manage.py` file. 116 | 117 | You can use `EXTRA_ARGS` to pass any additional desired arguments, such as a settings module. 118 | 119 | ### Workflow customization 120 | 121 | See full instructions for [Configuring and managing workflows](https://help.github.com/en/actions/configuring-and-managing-workflows). 122 | 123 | For help editing the YAML file, see [Workflow syntax for GitHub Actions](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions). 124 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: "Django Security Check" 2 | description: "Helps find and remediate common security vulnerabilities in your Django application." 3 | author: "victoriadrake" 4 | branding: 5 | icon: "shield" 6 | color: "green" 7 | outputs: 8 | result: 9 | description: "Django Security Check output" 10 | runs: 11 | using: "docker" 12 | image: "Dockerfile" -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Omits 'set -e' because short-circuiting this script fails the GitHub action unintentionally 3 | 4 | 5 | FAIL=${FAIL_LEVEL:=ERROR} 6 | MANAGE_PATH=${GITHUB_WORKSPACE}/${APP_PATH} 7 | REQS=${GITHUB_WORKSPACE}/${DEP_PATH} 8 | ARGS=${EXTRA_ARGS} 9 | 10 | echo -e "Path to manage.py set as: " $MANAGE_PATH 11 | echo -e "Requirements path set as: " $REQS 12 | 13 | if [[ "$ENV_TYPE" == "pipenv" ]]; then 14 | cd $REQS 15 | pip3 install pipenv 16 | PIPENV_IGNORE_VIRTUALENVS=1 pipenv install 17 | cd $MANAGE_PATH && PIPENV_IGNORE_VIRTUALENVS=1 pipenv run python3 manage.py check --deploy --fail-level ${FAIL} ${ARGS} &> output.txt 18 | EXIT_CODE=$? 19 | fi 20 | if [[ "$ENV_TYPE" == "venv" ]]; then 21 | pip install -r $REQS 22 | cd $MANAGE_PATH && python manage.py check --deploy --fail-level ${FAIL} ${ARGS} &> output.txt 23 | EXIT_CODE=$? 24 | fi 25 | if [[ -z "$ENV_TYPE" ]]; then 26 | echo "No virtual environment specified." 27 | pip install django 28 | cd $MANAGE_PATH && python manage.py check --deploy --fail-level ${FAIL} ${ARGS} &> output.txt 29 | EXIT_CODE=$? 30 | fi 31 | 32 | echo -e "\n--------- Django Security Check results ---------" 33 | cat output.txt 34 | 35 | exit $EXIT_CODE 36 | -------------------------------------------------------------------------------- /screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/victoriadrake/django-security-check/89623116ff4b49464c26b218d8de5eb8c4d02970/screenshot.png --------------------------------------------------------------------------------