From 074f02872ec4c1d6911ddaa1e6f243e7e107ea24 Mon Sep 17 00:00:00 2001
From: Simon Merrick <s.m3rrick@gmail.com>
Date: Sat, 12 Apr 2025 16:53:39 -0500
Subject: [PATCH 1/3] Security Pipeline GitHub

---
 .github/workflows/security.yml | 42 ++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..c1ab9bb
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,42 @@
+name: Security Checks
+
+on: [push, pull_request]
+
+jobs:
+  gitleaks:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    container:
+      image: zricethezav/gitleaks:latest
+      options: --entrypoint ""
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+    - name: Run Gitleaks
+      run: gitleaks git . --verbose --redact
+      # Uncomment the line below and comment out the above line to switch scan mode
+      # run: gitleaks dir . --verbose --redact
+
+  pip-audit:
+    name: Pip Audit
+    runs-on: ubuntu-latest
+    container: python:latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+    - name: Install pip-audit
+      run: pip install pip-audit
+    - name: Run pip-audit
+      run: pip-audit -r samples/requirements.txt
+
+  bandit:
+    name: Bandit
+    runs-on: ubuntu-latest
+    container: python:latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+    - name: Install Bandit
+      run: pip install bandit
+    - name: Run Bandit
+      run: bandit -x .venv -r .
\ No newline at end of file

From bcd54dc896f78c32d535de51f7b41f835035a514 Mon Sep 17 00:00:00 2001
From: Simon Merrick <s.m3rrick@gmail.com>
Date: Sat, 12 Apr 2025 16:57:54 -0500
Subject: [PATCH 2/3] fix gitleaks

---
 .github/workflows/security.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index c1ab9bb..8155986 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -12,6 +12,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
+    - name: Mark repository as safe
+      run: git config --global --add safe.directory $GITHUB_WORKSPACE
     - name: Run Gitleaks
       run: gitleaks git . --verbose --redact
       # Uncomment the line below and comment out the above line to switch scan mode

From edeb38dcdec867667c08ea41393c6eedbed8bd79 Mon Sep 17 00:00:00 2001
From: Simon Merrick <s.m3rrick@gmail.com>
Date: Sat, 12 Apr 2025 17:04:26 -0500
Subject: [PATCH 3/3] Update README.md

---
 README.md | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 222f379..7d85a96 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,19 @@
 # Pipelines for Securing your Python Development Lifecycle
 
-See it on [GitHub](https://github.com/iokiwi/python-security-pipelines) | [GitLab](https://gitlab.com/iokiwi/python-security-pipelines)
+See it on [[GitHub](https://github.com/iokiwi/python-security-pipelines) | [GitLab](https://gitlab.com/iokiwi/python-security-pipelines)]
 
 Reference Repository from my Talk of the same title: [Pipelines for Securing your Python Development Lifecycle](https://docs.google.com/presentation/d/1hAYnZCIoPdgXLpZZsllKrhdKLscPrzpcAvUV5jrD8R4/edit?usp=sharing
 )
 
-Important files/directories
+### Important files/directories
 
- * [samples](samples/) - Contains samples of things that will cause the pipelines to fail
- * [.gitlab-ci.yml](.gitlab-ci.yml) - Source code for the security pipelines
- * Pipeline results: [GitLab](https://gitlab.com/iokiwi/python-security-pipelines/-/pipelines) | GitHub [TODO]
- * .github/workflows/security.yml [TODO]
+|||
+|---|---|
+[samples](samples/) | Contains samples of things that will cause the pipelines to fail
+[.gitlab-ci.yml](.gitlab-ci.yml) | GitLab CI Config
+[.github/workflows/security.yml](.github/workflows/security.yml) | GitHub CI Config
+Pipeline results | [[GitLab](https://gitlab.com/iokiwi/python-security-pipelines/-/pipelines) \| [GitHub](https://github.com/iokiwi/python-security-pipelines/actions/)]
+|||
 
 Please feel free to fork this repo and try it yourself. 
 
@@ -37,5 +40,4 @@ More reading and examples: [YAML Deserialization Attack in Python](https://net-s
 
 ## TODOs and Possible Enrichments
 
- * Translate it to Github actions as well
  * Share some other usefull scripts for CI