├── Dockerfile
├── LICENSE
├── README.md
├── action.yml
├── entrypoint.sh
└── screenshot.png


/Dockerfile:
--------------------------------------------------------------------------------
 1 | # Container image that runs your code
 2 | FROM python:3-buster
 3 | 
 4 | # Copies your code file from your action repository to the filesystem path `/` of the container
 5 | COPY entrypoint.sh /entrypoint.sh
 6 | 
 7 | # Code file to execute when the docker container starts up (`entrypoint.sh`)
 8 | ENTRYPOINT ["/entrypoint.sh"]
 9 | 
10 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | Copyright (c) 2020-2023 Victoria Drake
 3 | 
 4 | Permission is hereby granted, free of charge, to any person obtaining a copy
 5 | of this software and associated documentation files (the "Software"), to deal
 6 | in the Software without restriction, including without limitation the rights
 7 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 8 | copies of the Software, and to permit persons to whom the Software is
 9 | furnished to do so, subject to the following conditions:
10 | 
11 | The above copyright notice and this permission notice shall be included in all
12 | copies or substantial portions of the Software.
13 | 
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
20 | SOFTWARE.
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Django Security Check
  2 | 
  3 | Helps you continuously monitor and fix common security vulnerabilities in your [Django](https://www.djangoproject.com/) application.
  4 | 
  5 | If you are thinking of using this action, congratulations. You're well on your way to building a secure Django project!
  6 | 
  7 | ## Use this in your workflow
  8 | 
  9 | You can use this action in a workflow file to continuously run [Django's `check --deploy`](https://docs.djangoproject.com/en/3.0/ref/django-admin/#check) against your production Django application configuration. Here is an example workflow that runs Django Security Check on any `push` event to the `master` branch. See [below for `env` instructions](https://github.com/victoriadrake/django-security-check#setting-the-env-variables).
 10 | 
 11 | ```yml
 12 | name: Django Security Check
 13 | 
 14 | on:
 15 |   push:
 16 |     branches:
 17 |       - master
 18 | 
 19 | env:
 20 |   SECRET_KEY: ${{ secrets.SECRET_KEY }}
 21 |   FAIL_LEVEL: WARNING
 22 |   ENV_TYPE: venv
 23 |   DEP_PATH: app/requirements.txt
 24 |   APP_PATH: app/
 25 |   EXTRA_ARGS: "--settings=app.settings.production"
 26 | 
 27 | jobs:
 28 |   build:
 29 | 
 30 |     runs-on: ubuntu-latest
 31 | 
 32 |     steps:
 33 |       - name: Check out master
 34 |         uses: actions/checkout@master
 35 |         with:
 36 |           fetch-depth: 1
 37 |       - name: Scan Django settings for security issues
 38 |         id: check
 39 |         uses: victoriadrake/django-security-check@master
 40 |       - name: Upload output
 41 |         uses: actions/upload-artifact@v2
 42 |         with:
 43 |           name: security-check-output
 44 |           path: output.txt
 45 | ```
 46 | 
 47 | ## View results
 48 | 
 49 | In the example workflow file above, you can view results in the Action workflow run, or download them as an [artifact](https://docs.github.com/en/actions/configuring-and-managing-workflows/persisting-workflow-data-using-artifacts). Check out the [repositories  that use this action](https://github.com/victoriadrake/django-security-check/network/dependents) for some examples.
 50 | 
 51 | You can also add the check output to a comment, for example, if the workflow was triggered by a pull request. To do this, [set an output parameter](https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-output-parameter) and use `actions/github-script`. Here's an example workflow you can copy that runs on pull requests:
 52 | 
 53 | ```yml
 54 | name: Django Security Check
 55 | 
 56 | on: pull_request_target
 57 | 
 58 | env:
 59 |   SECRET_KEY: ${{ secrets.SECRET_KEY }}
 60 |   FAIL_LEVEL: WARNING
 61 |   ENV_TYPE: pipenv
 62 | 
 63 | jobs:
 64 |   build:
 65 | 
 66 |     runs-on: ubuntu-latest
 67 | 
 68 |     steps:
 69 |       - name: Check out master
 70 |         uses: actions/checkout@master
 71 |         with:
 72 |           fetch-depth: 1
 73 |       - name: Scan Django settings for security issues
 74 |         id: check
 75 |         uses: victoriadrake/django-security-check@master
 76 |       - id: results
 77 |         run: |
 78 |           OUTPUT=$(cat output.txt)
 79 |           FORMATTED=${OUTPUT//$'\n'/%0A}
 80 |           echo ::set-output name=file::**Django Security Check identified issues:** %0A$FORMATTED
 81 |       - name: Comment with output
 82 |         uses: actions/github-script@v3
 83 |         with:
 84 |           script: |
 85 |             github.issues.createComment({
 86 |               issue_number: ${{ github.event.number }},
 87 |               owner: context.repo.owner,
 88 |               repo: context.repo.repo,
 89 |               body: `${{ steps.results.outputs.file }}`
 90 |             })
 91 | ```
 92 | 
 93 | This produces:
 94 | 
 95 | ![Screenshot of security check output in comment](screenshot.png)
 96 | 
 97 | Helpful instructions for remediation are provided by Django in the output.
 98 | 
 99 | ### Setting the `env` variables
100 | 
101 | There must be a `SECRET_KEY` value available in order for Django to run the checks. Otherwise, an `ImproperlyConfigured` exception is raised. If you don't deploy from your repository, you may use a dummy value. [Set a repository secret](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) with the name of `SECRET_KEY` and include this as an environment variable as shown in the examples above.
102 | 
103 | The `FAIL_LEVEL` environment variable is the minimum severity finding that will cause the check to fail. Choices are `CRITICAL`, `ERROR`, `WARNING`, `INFO`, and `DEBUG`. If not set, it defaults to `ERROR`.
104 | 
105 | Depending on what you've set as a `FAIL_LEVEL`, this action may return results without a failed check. For example, the default `ERROR` level may still return `WARNING` results, although the check is a pass. To fail the check on `WARNING` results, set `FAIL_LEVEL` to `WARNING`, `INFO`, or `DEBUG`.
106 | 
107 | This action currently supports use of [Pipenv](https://pipenv.pypa.io/en/latest/) or [`venv`](https://docs.python.org/3/library/venv.html#module-venv).
108 | 
109 | If you are using Pipenv, set `ENV_TYPE: pipenv`. Set the `DEP_PATH` variable to point to the directory containing your `Pipfile`. For example, if you have `project-root/app/Pipfile`, set `DEP_PATH: app/`. If you have `project-root/Pipfile`, you can leave this unset.
110 | 
111 | If you are using `venv`, set `ENV_TYPE: venv` as above. Set the `DEP_PATH` variable to the path of your dependencies file from the root, including the file name, as above. This is usually called `requirements.txt`, but may be different in your application.
112 | 
113 | Set the `APP_PATH` to the location of your `manage.py` file. For example, if you have `project-root/application/manage.py`, then set `APP_PATH: application/`. If you have `project-root/manage.py`, you can leave this unset.
114 | 
115 | If you are not using a virtual environment, shame on you. This action will still try to help you by installing Django. Ensure you set `APP_PATH` to the directory of your `manage.py` file.
116 | 
117 | You can use `EXTRA_ARGS` to pass any additional desired arguments, such as a settings module.
118 | 
119 | ### Workflow customization
120 | 
121 | See full instructions for [Configuring and managing workflows](https://help.github.com/en/actions/configuring-and-managing-workflows).
122 | 
123 | For help editing the YAML file, see [Workflow syntax for GitHub Actions](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions).
124 | 


--------------------------------------------------------------------------------
/action.yml:
--------------------------------------------------------------------------------
 1 | name: "Django Security Check"
 2 | description: "Helps find and remediate common security vulnerabilities in your Django application."
 3 | author: "victoriadrake"
 4 | branding:
 5 |   icon: "shield"
 6 |   color: "green"
 7 | outputs:
 8 |   result:
 9 |     description: "Django Security Check output"
10 | runs:
11 |   using: "docker"
12 |   image: "Dockerfile"


--------------------------------------------------------------------------------
/entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Omits 'set -e' because short-circuiting this script fails the GitHub action unintentionally
 3 | 
 4 | 
 5 | FAIL=${FAIL_LEVEL:=ERROR}
 6 | MANAGE_PATH=${GITHUB_WORKSPACE}/${APP_PATH}
 7 | REQS=${GITHUB_WORKSPACE}/${DEP_PATH}
 8 | ARGS=${EXTRA_ARGS}
 9 | 
10 | echo -e "Path to manage.py set as: " $MANAGE_PATH
11 | echo -e "Requirements path set as: " $REQS
12 | 
13 | if [[ "$ENV_TYPE" == "pipenv" ]]; then
14 |     cd $REQS
15 |     pip3 install pipenv
16 |     PIPENV_IGNORE_VIRTUALENVS=1 pipenv install
17 |     cd $MANAGE_PATH && PIPENV_IGNORE_VIRTUALENVS=1 pipenv run python3 manage.py check --deploy --fail-level ${FAIL} ${ARGS} &> output.txt
18 |     EXIT_CODE=$?
19 | fi
20 | if [[ "$ENV_TYPE" == "venv" ]]; then
21 |     pip install -r $REQS
22 |     cd $MANAGE_PATH && python manage.py check --deploy --fail-level ${FAIL} ${ARGS} &> output.txt
23 |     EXIT_CODE=$?
24 | fi
25 | if [[ -z "$ENV_TYPE" ]]; then
26 |     echo "No virtual environment specified."
27 |     pip install django
28 |     cd $MANAGE_PATH && python manage.py check --deploy --fail-level ${FAIL} ${ARGS} &> output.txt
29 |     EXIT_CODE=$?
30 | fi
31 | 
32 | echo -e "\n--------- Django Security Check results ---------"
33 | cat output.txt
34 | 
35 | exit $EXIT_CODE
36 | 


--------------------------------------------------------------------------------
/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/victoriadrake/django-security-check/89623116ff4b49464c26b218d8de5eb8c4d02970/screenshot.png


--------------------------------------------------------------------------------