vulnerability.yaml

---
name: Vulnerability test

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  code-vulnerabilities:
    name: Code
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Set up environment
        uses: ./.github/actions/setup/poetry
        with:
          os: ${{ job.os }}
          python-version: '3.11'
          poetry-install-options: "--only=vulnerability --no-root"
          poetry-export-options: "--only=vulnerability"

      - name: Check code vulnerabilities with bandit
        run: poetry run bandit -c pyproject.toml -r cloud_telemetry/

  dependency-vulnerabilities:
    name: Dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Set up environment
        uses: ./.github/actions/setup/poetry
        with:
          os: ${{ job.os }}
          python-version: '3.11'
          poetry-install-options: "--only=vulnerability --no-root"
          poetry-export-options: "--only=vulnerability"

      - name: Check dependency vulnerabilities with safety
        run: poetry run safety check --full-report
...