[CICD, DOCS] add templates' dependency vulnerable checking workflow, add commands at Makefile #36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…mmands at Makefile
bnbong
added
documentation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds automated security vulnerability scanning for FastAPI project templates and enhances the documentation translation workflow. The changes introduce a weekly GitHub Actions workflow to scan template dependencies for vulnerabilities using pip-audit, along with new Makefile commands for easier translation and coverage reporting workflows.
Changes:
- Added weekly scheduled GitHub Actions workflow for template dependency security scanning
- Enhanced translation script with support for GitHub Models API, rate limiting, chunking for large documents, and improved error handling
- Added Makefile commands for documentation translation and detailed coverage reporting
- Updated documentation with Korean translations and improved contribution guides
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/template-security-scan.yml |
New workflow for weekly security scanning of template dependencies with automated issue creation |
scripts/translate.py |
Enhanced with GitHub Models API support, rate limiting, text chunking, and improved error handling |
Makefile |
Added translate and coverage-report commands for simplified developer workflow |
docs/ko/index.md |
Korean translation of main documentation index |
docs/ko/changelog.md |
Korean changelog reference file |
docs/en/contributing/translation-guide.md |
Updated with Make command examples for translation |
docs/en/contributing/development-setup.md |
Added documentation for new Make commands |
CONTRIBUTING.md |
Updated with new Make commands and examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+36
to
+105
| TEMPLATE_DIR="src/fastapi_fastkit/fastapi_project_template" | ||
| RESULTS_FILE="security_scan_results.json" | ||
| SCAN_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | ||
| # Initialize results | ||
| echo '{' > $RESULTS_FILE | ||
| echo ' "scan_date": "'$SCAN_DATE'",' >> $RESULTS_FILE | ||
| echo ' "templates": [' >> $RESULTS_FILE | ||
| TEMPLATES_INPUT="${{ github.event.inputs.templates }}" | ||
| FIRST_TEMPLATE=true | ||
| TOTAL_VULNERABILITIES=0 | ||
| AFFECTED_TEMPLATES="" | ||
| for template_dir in $TEMPLATE_DIR/fastapi-*/; do | ||
| template_name=$(basename "$template_dir") | ||
| # Skip if specific templates are requested and this isn't one | ||
| if [ -n "$TEMPLATES_INPUT" ]; then | ||
| if ! echo "$TEMPLATES_INPUT" | grep -q "$template_name"; then | ||
| continue | ||
| fi | ||
| fi | ||
| req_file="$template_dir/requirements.txt-tpl" | ||
| if [ -f "$req_file" ]; then | ||
| echo "🔍 Scanning $template_name..." | ||
| # Create temp requirements file | ||
| temp_req=$(mktemp) | ||
| cp "$req_file" "$temp_req" | ||
| # Run pip-audit and capture output | ||
| audit_output=$(pip-audit -r "$temp_req" --format json 2>/dev/null || echo '[]') | ||
| rm "$temp_req" | ||
| # Count vulnerabilities | ||
| vuln_count=$(echo "$audit_output" | python3 -c "import sys, json; data = json.load(sys.stdin); print(len(data))" 2>/dev/null || echo "0") | ||
| if [ "$vuln_count" -gt 0 ]; then | ||
| TOTAL_VULNERABILITIES=$((TOTAL_VULNERABILITIES + vuln_count)) | ||
| AFFECTED_TEMPLATES="$AFFECTED_TEMPLATES $template_name" | ||
| echo "⚠️ Found $vuln_count vulnerabilities in $template_name" | ||
| else | ||
| echo "✅ No vulnerabilities in $template_name" | ||
| fi | ||
| # Add to JSON | ||
| if [ "$FIRST_TEMPLATE" = true ]; then | ||
| FIRST_TEMPLATE=false | ||
| else | ||
| echo ' ,' >> $RESULTS_FILE | ||
| fi | ||
| echo ' {' >> $RESULTS_FILE | ||
| echo ' "name": "'$template_name'",' >> $RESULTS_FILE | ||
| echo ' "vulnerability_count": '$vuln_count',' >> $RESULTS_FILE | ||
| echo ' "vulnerabilities": '$audit_output >> $RESULTS_FILE | ||
| echo ' }' >> $RESULTS_FILE | ||
| fi | ||
| done | ||
| echo ' ],' >> $RESULTS_FILE | ||
| echo ' "total_vulnerabilities": '$TOTAL_VULNERABILITIES',' >> $RESULTS_FILE | ||
| echo ' "affected_templates": "'$(echo $AFFECTED_TEMPLATES | xargs)'"' >> $RESULTS_FILE | ||
| echo '}' >> $RESULTS_FILE | ||
| # Set outputs for later steps | ||
| echo "total_vulnerabilities=$TOTAL_VULNERABILITIES" >> $GITHUB_OUTPUT | ||
| echo "affected_templates=$AFFECTED_TEMPLATES" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
The variables RESULTS_FILE, SCAN_DATE, TEMPLATE_DIR, and others should be quoted in shell commands to prevent word splitting issues. For example, line 41 should be echo '{' > "$RESULTS_FILE" instead of echo '{' > $RESULTS_FILE.
Comment on lines
+50
to
+96
| for template_dir in $TEMPLATE_DIR/fastapi-*/; do | ||
| template_name=$(basename "$template_dir") | ||
| # Skip if specific templates are requested and this isn't one | ||
| if [ -n "$TEMPLATES_INPUT" ]; then | ||
| if ! echo "$TEMPLATES_INPUT" | grep -q "$template_name"; then | ||
| continue | ||
| fi | ||
| fi | ||
| req_file="$template_dir/requirements.txt-tpl" | ||
| if [ -f "$req_file" ]; then | ||
| echo "🔍 Scanning $template_name..." | ||
| # Create temp requirements file | ||
| temp_req=$(mktemp) | ||
| cp "$req_file" "$temp_req" | ||
| # Run pip-audit and capture output | ||
| audit_output=$(pip-audit -r "$temp_req" --format json 2>/dev/null || echo '[]') | ||
| rm "$temp_req" | ||
| # Count vulnerabilities | ||
| vuln_count=$(echo "$audit_output" | python3 -c "import sys, json; data = json.load(sys.stdin); print(len(data))" 2>/dev/null || echo "0") | ||
| if [ "$vuln_count" -gt 0 ]; then | ||
| TOTAL_VULNERABILITIES=$((TOTAL_VULNERABILITIES + vuln_count)) | ||
| AFFECTED_TEMPLATES="$AFFECTED_TEMPLATES $template_name" | ||
| echo "⚠️ Found $vuln_count vulnerabilities in $template_name" | ||
| else | ||
| echo "✅ No vulnerabilities in $template_name" | ||
| fi | ||
| # Add to JSON | ||
| if [ "$FIRST_TEMPLATE" = true ]; then | ||
| FIRST_TEMPLATE=false | ||
| else | ||
| echo ' ,' >> $RESULTS_FILE | ||
| fi | ||
| echo ' {' >> $RESULTS_FILE | ||
| echo ' "name": "'$template_name'",' >> $RESULTS_FILE | ||
| echo ' "vulnerability_count": '$vuln_count',' >> $RESULTS_FILE | ||
| echo ' "vulnerabilities": '$audit_output >> $RESULTS_FILE | ||
| echo ' }' >> $RESULTS_FILE | ||
| fi | ||
| done |
There was a problem hiding this comment.
The loop at line 50 does not properly handle the case where no templates are found or no templates match the input filter. If FIRST_TEMPLATE remains true after the loop, it will generate invalid JSON with a trailing comma in the templates array. Consider tracking whether any templates were processed and adjusting the JSON generation accordingly.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Requesting Merging
Description
same as title
Type of Change
Test Environment
local, M1 Mac
Major Changes
scripts/folder scripts)Screenshots (optional)
N/A
Etc