.github/workflows/dependency.yml

---
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  req-files:
    runs-on: ubuntu-latest
    outputs:
      reqfiles: ${{ steps.get-files.outputs.REQLIST }}
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - id: get-files
        run:
          echo "REQLIST=$(find . -name 'requirements*.txt' -print  | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
  dependency-review:
    needs: req-files
    strategy:
      matrix:
        python: [ 3.8, 3.9, "3.10" ]
        os: [ubuntu-latest]
        files: ${{ fromJSON(needs.req-files.outputs.reqfiles) }} 
    runs-on: ${{ matrix.os }}
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: Set up Python ${{ matrix.python }}
        uses: actions/setup-python@v4
        with:
          python-version: ${{ matrix.python }}
      - name: Install pip-audit on non-Windows
        run: |
          pip install "pip-audit>=2.5.3"
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3
      - name: 'Pip Audit'
        uses: pypa/gh-action-pip-audit@v1.0.6
        with:
          inputs: ${{ matrix.files }}

  rust-files:
    runs-on: ubuntu-latest
    outputs:
      rustfiles: ${{ steps.get-rust-files.outputs.RUSTLIST }}
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - id: get-rust-files
        run:
          echo "RUSTLIST=$(find . -type f -name "Cargo.toml" -exec dirname "{}" \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
  rust_security_audit:
    runs-on: ubuntu-latest
    needs: rust-files
    strategy:
      matrix:
        files: ${{ fromJSON(needs.rust-files.outputs.rustfiles) }} 
    steps:
      - uses: actions/checkout@v3
      - run: cd $GITHUB_WORKSPACE && mv ${{ matrix.files }}/* .
      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

  go_scan:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: '-no-fail -fmt sarif -out results.sarif ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif