Dependency Review and Vulnerability Scan workflow (Nya-Foundation/NyaProxy)
The Dependency Review and Vulnerability Scan workflow from Nya-Foundation/NyaProxy, explained and optimized by Latchkey.
CI health: A - excellent
Point runs-on at Latchkey and get job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Dependency Review and Vulnerability Scan workflow from the Nya-Foundation/NyaProxy repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
# .github/workflows/dependency-review.yml
name: Dependency Review and Vulnerability Scan
on:
push:
branches-ignore:
- 'main'
- 'staging'
- 'dev'
paths:
- 'pyproject.toml'
- 'setup.py'
- 'setup.cfg'
- '**/*requirements*.txt'
- 'Pipfile'
- 'Pipfile.lock'
pull_request:
branches: ['staging', 'dev']
paths:
- 'pyproject.toml'
- 'setup.py'
- 'setup.cfg'
- '**/*requirements*.txt'
- 'Pipfile'
- 'Pipfile.lock'
workflow_dispatch:
# Updated permissions to allow for code scanning alerts
permissions:
contents: read
security-events: write
# Cancel outdated workflow runs on the same branch/PR
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
dependency-review:
name: Scan Dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Dependency Review
# This action scans dependency manifest files for known vulnerabilities
# using the GitHub Advisory Database and can check for license compliance.
# See: https://github.com/actions/dependency-review-action
uses: actions/dependency-review-action@v4
with:
# The base branch for the pull request or the main branch for pushes
base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
head-ref: ${{ github.sha }}
# Scan for vulnerabilities reported in the GitHub Advisory Database
vulnerability-check: true
# Fail the workflow if any vulnerabilities with 'high' or 'critical' severity are found.
# Allowed values: low, moderate, high, critical
fail-on-severity: high
# Uncomment based on your license policy
allow-licenses: MIT, Apache-2.0, BSD-3-Clause, ISC, 0BSD, Python-2.0
codeql-analysis:
name: CodeQL SAST Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: python
# Optional: specify queries for additional security checks
# queries: security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:python"
upload: trueThe same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
# .github/workflows/dependency-review.yml name: Dependency Review and Vulnerability Scan on: push: branches-ignore: - 'main' - 'staging' - 'dev' paths: - 'pyproject.toml' - 'setup.py' - 'setup.cfg' - '**/*requirements*.txt' - 'Pipfile' - 'Pipfile.lock' pull_request: branches: ['staging', 'dev'] paths: - 'pyproject.toml' - 'setup.py' - 'setup.cfg' - '**/*requirements*.txt' - 'Pipfile' - 'Pipfile.lock' workflow_dispatch: # Updated permissions to allow for code scanning alerts permissions: contents: read security-events: write # Cancel outdated workflow runs on the same branch/PR concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: dependency-review: timeout-minutes: 30 name: Scan Dependencies runs-on: latchkey-small steps: - name: Checkout Repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Dependency Review # This action scans dependency manifest files for known vulnerabilities # using the GitHub Advisory Database and can check for license compliance. # See: https://github.com/actions/dependency-review-action uses: actions/dependency-review-action@v4 with: # The base branch for the pull request or the main branch for pushes base-ref: ${{ github.event.pull_request.base.sha || 'main' }} head-ref: ${{ github.sha }} # Scan for vulnerabilities reported in the GitHub Advisory Database vulnerability-check: true # Fail the workflow if any vulnerabilities with 'high' or 'critical' severity are found. # Allowed values: low, moderate, high, critical fail-on-severity: high # Uncomment based on your license policy allow-licenses: MIT, Apache-2.0, BSD-3-Clause, ISC, 0BSD, Python-2.0 codeql-analysis: timeout-minutes: 30 name: CodeQL SAST Analysis runs-on: latchkey-small steps: - name: Checkout Repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: python # Optional: specify queries for additional security checks # queries: security-extended,security-and-quality - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:python" upload: true
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.