From ea64e3c7aa2efc7e0f6e8f24925d8edcd8b295f3 Mon Sep 17 00:00:00 2001
From: Keven Beaulieu <3943905+kbeaulieu@users.noreply.github.com>
Date: Wed, 2 Feb 2022 10:56:15 -0500
Subject: [PATCH 1/2] Adds Pipenv workflow

---
 .github/workflows/pipenv.yml | 109 +++++++++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 .github/workflows/pipenv.yml

diff --git a/.github/workflows/pipenv.yml b/.github/workflows/pipenv.yml
new file mode 100644
index 0000000..187ee08
--- /dev/null
+++ b/.github/workflows/pipenv.yml
@@ -0,0 +1,109 @@
+name: Webapp frontend
+
+on:
+  workflow_call:
+    inputs:
+      name:
+        description: Application name. Used as base to the various artifacts.
+        required: true
+        type: string
+      workflow-path:
+        description: Workflow file used for change detection.
+        required: false
+        type: string
+      working-directory:
+        description: Relative path under $GITHUB_WORKSPACE where the project is located.
+        required: false
+        type: string
+
+jobs:
+  pre-checks:
+    name: Pre-checks
+    runs-on: ubuntu-latest
+    outputs:
+      should-skip: ${{ steps.skip-check.outputs.should_skip }}
+
+    steps:
+      - id: skip-check
+        uses: fkirc/skip-duplicate-actions@v3.4.1
+        with:
+          concurrent_skipping: same_content
+          do_not_skip: >-
+            [
+              "push",
+              "schedule",
+              "workflow_dispatch"
+            ]
+          paths: >-
+            [
+              ".tool-versions",
+              "${{ inputs.workflow-path }}",
+              "${{ inputs.working-directory }}/**"
+            ]
+          skip_after_successful_duplicate: true
+
+  setup:
+    name: Setup
+    needs:
+      - pre-checks
+    if: ${{ needs.pre_checks.outputs.should-skip != 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+
+  unit-tests:
+    name: Unit tests
+    needs: [setup]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+      - name: Run pytest
+        run: pipenv run pytest -v
+
+  code-style:
+    name: Code style
+    needs: [setup]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+      - name: Run pycodestyle
+        run: pipenv run pycodestyle --statistics --count
+
+  type-check:
+    name: Type check
+    needs: [setup]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+      - name: Run pytype
+        run: pipenv run pytype
+
+  sast:
+    name: SAST
+    needs: [setup]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+      - name: Run Semgrep
+        run: make check.sast
+      - name: Upload SAST report
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: semgrep.sarif
+          path: ./build/reports/semgrep/semgrep.sarif

From ba923a9b9d67b86270ab57dd0c8ed9f3560f0ce9 Mon Sep 17 00:00:00 2001
From: Keven Beaulieu <3943905+kbeaulieu@users.noreply.github.com>
Date: Wed, 2 Feb 2022 15:26:55 -0500
Subject: [PATCH 2/2] Adds security workflow

---
 .../{pipenv.yml => python-pipenv.yml}         | 45 +++++++------------
 .github/workflows/python-security.yml         | 42 +++++++++++++++++
 2 files changed, 58 insertions(+), 29 deletions(-)
 rename .github/workflows/{pipenv.yml => python-pipenv.yml} (76%)
 create mode 100644 .github/workflows/python-security.yml

diff --git a/.github/workflows/pipenv.yml b/.github/workflows/python-pipenv.yml
similarity index 76%
rename from .github/workflows/pipenv.yml
rename to .github/workflows/python-pipenv.yml
index 187ee08..111a0f4 100644
--- a/.github/workflows/pipenv.yml
+++ b/.github/workflows/python-pipenv.yml
@@ -1,12 +1,8 @@
-name: Webapp frontend
+name: Python Pipenv
 
 on:
   workflow_call:
     inputs:
-      name:
-        description: Application name. Used as base to the various artifacts.
-        required: true
-        type: string
       workflow-path:
         description: Workflow file used for change detection.
         required: false
@@ -44,13 +40,13 @@ jobs:
 
   setup:
     name: Setup
-    needs:
-      - pre-checks
+    needs: [pre-checks]
     if: ${{ needs.pre_checks.outputs.should-skip != 'true' }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+
       - name: Setup Python
         uses: equisoft-actions/setup-python@v1.0.0
 
@@ -61,23 +57,14 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+
       - name: Setup Python
         uses: equisoft-actions/setup-python@v1.0.0
+
       - name: Run pytest
+        working-directory: ${{ inputs.working-directory }}
         run: pipenv run pytest -v
 
-  code-style:
-    name: Code style
-    needs: [setup]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Setup Python
-        uses: equisoft-actions/setup-python@v1.0.0
-      - name: Run pycodestyle
-        run: pipenv run pycodestyle --statistics --count
-
   type-check:
     name: Type check
     needs: [setup]
@@ -85,25 +72,25 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+
       - name: Setup Python
         uses: equisoft-actions/setup-python@v1.0.0
+
       - name: Run pytype
+        working-directory: ${{ inputs.working-directory }}
         run: pipenv run pytype
 
-  sast:
-    name: SAST
+  code-style:
+    name: Code style
     needs: [setup]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+
       - name: Setup Python
         uses: equisoft-actions/setup-python@v1.0.0
-      - name: Run Semgrep
-        run: make check.sast
-      - name: Upload SAST report
-        uses: actions/upload-artifact@v2
-        if: always()
-        with:
-          name: semgrep.sarif
-          path: ./build/reports/semgrep/semgrep.sarif
+
+      - name: Run pycodestyle
+        working-directory: ${{ inputs.working-directory }}
+        run: pipenv run pycodestyle --statistics --count
diff --git a/.github/workflows/python-security.yml b/.github/workflows/python-security.yml
new file mode 100644
index 0000000..049e212
--- /dev/null
+++ b/.github/workflows/python-security.yml
@@ -0,0 +1,42 @@
+name: Python Security
+
+on:
+  workflow_call:
+    inputs:
+      working-directory:
+        description: Relative path under $GITHUB_WORKSPACE where the project is located.
+        required: false
+        type: string
+
+jobs:
+  secrets:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Run secret scanner
+        uses: kronostechnologies/actions/scan-secrets@v0.0.20
+
+  sast:
+    name: SAST
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+
+      - name: Run Semgrep
+        run: make check.sast
+
+      - name: Upload SAST report
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: semgrep-${{ inputs.working-directory }}.sarif
+          path: ${{ inputs.working-directory }}/build/reports/semgrep/semgrep.sarif