From 37499dfac2d88586af78ecb362095a82367309f7 Mon Sep 17 00:00:00 2001
From: Alex Lowe <alex.lowe@canonical.com>
Date: Wed, 25 Sep 2024 19:47:03 -0400
Subject: [PATCH] ci: add security scan workflow

---
 .github/workflows/security-scan.yaml | 16 ++++++++++++++++
 osv-scanner.toml                     |  4 ++++
 requirements-jammy.txt               |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/security-scan.yaml
 create mode 100644 osv-scanner.toml

diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
new file mode 100644
index 000000000..34ab84c2b
--- /dev/null
+++ b/.github/workflows/security-scan.yaml
@@ -0,0 +1,16 @@
+name: Security scan
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - hotfix/*
+
+jobs:
+  python-scans:
+    name: Scan Python project
+    uses: lengau/starflow/.github/workflows/scan-python.yaml@work/secscan
+    with:
+      packages: python-apt-dev
+      osv-extra-args: '--config=source/osv-scanner.toml'
+      trivy-extra-args: '--severity HIGH,CRITICAL --ignore-unfixed --skip-dirs "tests/spread/**"'
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 000000000..17da2fac1
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,4 @@
+[[IgnoredVulns]]
+id = "CVE-2024-35195"
+ignoreUntil = "2025-01-01T00:00:00Z"
+reason = "Needed for requests-unixsocket, which we're replacing with requests-unixsocket2"
diff --git a/requirements-jammy.txt b/requirements-jammy.txt
index 94c1f954f..c7330b54f 100644
--- a/requirements-jammy.txt
+++ b/requirements-jammy.txt
@@ -1 +1 @@
-https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu2/python-apt_2.4.0ubuntu2.tar.xz ; sys_platform == 'linux'
+python-apt @  https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu2/python-apt_2.4.0ubuntu2.tar.xz ; sys_platform == 'linux'