DEV Community

epassaro
epassaro

Posted on

Identify and Report Vulnerable Dependencies in Conda-Based Projects with GitHub Actions

What I built

A GitHub Actions workflow that scans your Conda environment files for common vulnerabilities and exposures (CVE).

It's worth mentioning that Dependabot does not have support for Conda environment files, and GitHub developers have stated that there are no plans to add this feature in the foreseeable future.

Category Submission:

DIY Deployments

App Link

Screenshots

Example report

Description

Looking for a solution like Dependabot for your Conda-based project? Strengthen your repository's security with this reliable GitHub Actions reusable workflow!.

Implementing this workflow is straightforward. Just provide the path to your Conda environment file in YAML format, and let the workflow effortlessly handle the rest.

Powered by jake, an open-source package from the Sonatype Community, this workflow checks your environments for vulnerable open-source packages using the trusted OSS Index.

If any vulnerabilities are detected, the workflow will either open a new issue or update an existing one, listing the known CVEs and affected packages.

Furthermore, you have the option to ignore specific CVEs by providing a text file. Customize your security measures according to your needs.

And the best part is that this is not restricted just to Python packages! Packages in any progamming language are supported as far as they are distributed by the Conda package manager.

Link to Source Code

Permissive License

MIT License

Background (What made you decide to build this particular app? What inspired you?)

The motivation to build this app stemmed from my personal experience as a solo developer working on Conda-based projects. It became evident that there was a significant gap in the availability of tools like Dependabot that could effectively address security concerns in this context.

Driven by the desire to bolster the security of my own projects, I embarked on the task of developing tools that could offer similar functionality to Dependabot. Participating in this hackathon provided the perfect opportunity to jumpstart this endeavor.

I am fully committed to the continuous improvement and expansion of these workflows beyond the hackathon.

How I built it (How did you utilize GitHub Actions or GitHub Codespaces? Did you learn something new along the way? Pick up a new skill?)

I built this workflow as a reusable solution, and it was my first time working with this type of workflow. While I had some familiarity with Azure Pipelines templates, reusable workflows offered a new and different experience. The beauty of reusable workflows is that they allow me to continue working on and adding features to the workflow, while making it easy for users to implement it in their repositories.

One of the great advantages of this workflow is its flexibility. Users can run different versions of the workflow based on release tags, branches, or commit SHA, giving them the ability to customize it according to their specific needs.

When it came to vulnerability scanning, I decided to use a specific version of jake that goes beyond checking vulnerabilities in just Python packages. It extends its reach to cover all packages distributed in the Conda ecosystem, which is a significant advantage compared to other alternatives available.

During the development process, I discovered the GitHub Advisory Database, which I wasn't previously aware of. This led me to create a nightly workflow that parses the database and generates a simple JSON file with package fixes for a given CVE. My plan is to use this information to enhance the generated report with more comprehensive details.

Additional Resources/Info

Top comments (0)