From 4833ef2a65d2ef91a227a3178e634784d46f8982 Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 15:05:40 -0400 Subject: [PATCH 1/9] feat: add OSV-Scanner workflow --- .github/workflows/osv-scanner.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/osv-scanner.yml diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 00000000..5b8eed0d --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,18 @@ +name: OSV-Scanner +on: + push: + branches: [main, coreason-develop] + pull_request: + branches: [main, coreason-develop] + schedule: + - cron: '0 0 * * 1' + +permissions: + actions: read + security-events: write + contents: read + +jobs: + scan: + name: OSV-Scanner + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.9.1" From 24b5862ee61aee6d87d14d303d5af1bd9fdcd95f Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 15:31:14 -0400 Subject: [PATCH 2/9] feat: add security scanning suite (Scorecard, CodeQL, Bandit) --- .github/workflows/bandit.yml | 33 +++++++++++++++++++++++++ .github/workflows/codeql.yml | 43 +++++++++++++++++++++++++++++++++ .github/workflows/scorecard.yml | 37 ++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+) create mode 100644 .github/workflows/bandit.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 00000000..f5ab9b2e --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,33 @@ +name: Bandit Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '0 0 * * *' + +permissions: + contents: read + security-events: write + actions: read + +jobs: + bandit: + name: Bandit Scan + runs-on: ubuntu-latest + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: "Install Bandit" + run: pip install bandit + + - name: "Run Bandit" + run: bandit -r . -f sarif -o bandit-results.sarif || true + + - name: "Upload Bandit results" + uses: github/codeql-action/upload-sarif@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + with: + sarif_file: 'bandit-results.sarif' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..ea13eb4f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,43 @@ +name: "CodeQL Analysis" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '30 0 * * 1' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'python', 'javascript-typescript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..2fe255ce --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,37 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '30 1 * * 6' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload results" + uses: github/codeql-action/upload-sarif@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + with: + sarif_file: results.sarif From fa9f8cf10a6330ab30c5a10925d80e1e1d8cc268 Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 15:46:26 -0400 Subject: [PATCH 3/9] chore(security): harden github actions permissions and pin actions to SHAs --- .github/workflows/advanced-security.yml | 29 +++++++++++++++++++++++++ .github/workflows/bandit.yml | 9 ++++---- .github/workflows/ci.yml | 11 ++++++++-- .github/workflows/codeql.yml | 5 +---- .github/workflows/container-scan.yml | 3 +-- .github/workflows/nightly-fuzzing.yml | 5 +++-- .github/workflows/osv-scanner.yml | 11 +++++----- .github/workflows/publish.yml | 13 ++++++----- .github/workflows/security.yml | 11 ++++++---- 9 files changed, 68 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/advanced-security.yml diff --git a/.github/workflows/advanced-security.yml b/.github/workflows/advanced-security.yml new file mode 100644 index 00000000..0534f490 --- /dev/null +++ b/.github/workflows/advanced-security.yml @@ -0,0 +1,29 @@ +name: Advanced Security Audit +on: + pull_request: + branches: [ coreason-develop, main ] + +permissions: read-all + +jobs: + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.1 + with: + egress-policy: audit + + - name: Checkout Repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Dependency Review + uses: actions/dependency-review-action@72eb03d02c78a00354b586144b3b890176945676 # v4.5.0 + with: + comment-summary-in-pr: always + fail-on-severity: high + deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0 diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index f5ab9b2e..691ec126 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -8,15 +8,16 @@ on: schedule: - cron: '0 0 * * *' -permissions: - contents: read - security-events: write - actions: read +permissions: read-all jobs: bandit: name: Bandit Scan runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read steps: - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index beaef9d9..0cf09928 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,8 +7,7 @@ on: - develop pull_request: -permissions: - contents: read +permissions: read-all env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" @@ -21,6 +20,8 @@ jobs: lint-and-audit: runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 + permissions: + contents: read env: TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} @@ -102,6 +103,8 @@ jobs: security-sast: runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 + permissions: + contents: read env: TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} @@ -153,6 +156,8 @@ jobs: if: always() && needs.lint-and-audit.result == 'success' && needs.security-sast.result == 'success' runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 + permissions: + contents: read env: TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} @@ -219,6 +224,8 @@ jobs: needs: [test] runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 + permissions: + contents: read env: TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ea13eb4f..0b3d1b22 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,10 +8,7 @@ on: schedule: - cron: '30 0 * * 1' -permissions: - actions: read - contents: read - security-events: write +permissions: read-all jobs: analyze: diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 87f1ba76..56f77a76 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -7,8 +7,7 @@ on: branches: [ "develop", "main" ] -permissions: - contents: read +permissions: read-all jobs: trivy: diff --git a/.github/workflows/nightly-fuzzing.yml b/.github/workflows/nightly-fuzzing.yml index b6dd0557..cbad2aa7 100644 --- a/.github/workflows/nightly-fuzzing.yml +++ b/.github/workflows/nightly-fuzzing.yml @@ -5,8 +5,7 @@ on: - cron: "0 3 * * *" workflow_dispatch: -permissions: - contents: read +permissions: read-all env: UV_PYTHON_PREFERENCE: "only-managed" @@ -16,6 +15,8 @@ jobs: hypothesis-fuzz: runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 5b8eed0d..8d32da21 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -7,12 +7,13 @@ on: schedule: - cron: '0 0 * * 1' -permissions: - actions: read - security-events: write - contents: read +permissions: read-all jobs: scan: name: OSV-Scanner - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.9.1" + permissions: + actions: read + security-events: write + contents: read + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@daa2c68f50d845057895a9c300e42478481c1d26" # v1.9.1 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7db1b3c5..36c20c66 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,12 +8,7 @@ on: release: types: [published] -permissions: - contents: write - id-token: write # Required for PyPI OIDC Trusted Publishing and Sigstore - pages: write # Required for GitHub Pages deployment - actions: read # Required for SBOM artifact access and download - attestations: write # Required for SLSA build provenance +permissions: read-all env: UV_PYTHON_PREFERENCE: "only-managed" @@ -28,6 +23,12 @@ jobs: runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 environment: pypi + permissions: + contents: write + id-token: write # Required for PyPI OIDC Trusted Publishing and Sigstore + pages: write # Required for GitHub Pages deployment + actions: read # Required for SBOM artifact access and download + attestations: write # Required for SLSA build provenance steps: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 8e137e91..ff218fb2 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -9,16 +9,15 @@ on: - cron: '0 0 * * *' workflow_dispatch: -permissions: - contents: read - security-events: write - actions: read +permissions: read-all jobs: secret-scan: name: Secret Scanning runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -35,6 +34,10 @@ jobs: name: Software Composition Analysis runs-on: [self-hosted, hetzner, x64] timeout-minutes: 30 + permissions: + contents: read + security-events: write + actions: read steps: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 From e413beddc7d24a7d8ab449a6400bd93704e6b04a Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 16:01:58 -0400 Subject: [PATCH 4/9] fix(security): correct invalid github action commit SHAs --- .github/workflows/advanced-security.yml | 5 +++-- .github/workflows/bandit.yml | 3 ++- .github/workflows/ci.yml | 9 +++++---- .github/workflows/codeql.yml | 1 + .github/workflows/container-scan.yml | 1 + .github/workflows/docs.yml | 3 ++- .github/workflows/nightly-fuzzing.yml | 3 ++- .github/workflows/osv-scanner.yml | 3 ++- .github/workflows/publish.yml | 5 +++-- .github/workflows/scorecard.yml | 3 ++- .github/workflows/security.yml | 3 ++- 11 files changed, 25 insertions(+), 14 deletions(-) diff --git a/.github/workflows/advanced-security.yml b/.github/workflows/advanced-security.yml index 0534f490..704e4afd 100644 --- a/.github/workflows/advanced-security.yml +++ b/.github/workflows/advanced-security.yml @@ -14,7 +14,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.1 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.1 with: egress-policy: audit @@ -22,8 +22,9 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Dependency Review - uses: actions/dependency-review-action@72eb03d02c78a00354b586144b3b890176945676 # v4.5.0 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: comment-summary-in-pr: always fail-on-severity: high deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0 + diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 691ec126..e3b68f6a 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -29,6 +29,7 @@ jobs: run: bandit -r . -f sarif -o bandit-results.sarif || true - name: "Upload Bandit results" - uses: github/codeql-action/upload-sarif@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 with: sarif_file: 'bandit-results.sarif' + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0cf09928..410303ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -117,7 +117,7 @@ jobs: run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -170,7 +170,7 @@ jobs: run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -238,7 +238,7 @@ jobs: run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -289,3 +289,4 @@ jobs: if [ -f "compose.yaml" ]; then docker compose down -v || true; fi sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} shell: bash + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0b3d1b22..0c28ccce 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,3 +38,4 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 56f77a76..fb8f87d4 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -40,3 +40,4 @@ jobs: with: sarif_file: 'trivy-results.sarif' continue-on-error: true + diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 32c3ca5f..ac6bade0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -24,7 +24,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -57,3 +57,4 @@ jobs: - name: Deploy to GitHub Pages id: deployment uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 + diff --git a/.github/workflows/nightly-fuzzing.yml b/.github/workflows/nightly-fuzzing.yml index cbad2aa7..4ece5670 100644 --- a/.github/workflows/nightly-fuzzing.yml +++ b/.github/workflows/nightly-fuzzing.yml @@ -19,7 +19,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -49,3 +49,4 @@ jobs: name: hypothesis-examples path: .hypothesis/ retention-days: 7 + diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 8d32da21..8f48799c 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -16,4 +16,5 @@ jobs: actions: read security-events: write contents: read - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@daa2c68f50d845057895a9c300e42478481c1d26" # v1.9.1 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638" # v1.9.1 + diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 36c20c66..fdbbb22b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -31,7 +31,7 @@ jobs: attestations: write # Required for SLSA build provenance steps: - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -115,7 +115,7 @@ jobs: attestations: write steps: - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -176,3 +176,4 @@ jobs: subject-name: ghcr.io/coreason-ai/coreason-runtime subject-digest: ${{ steps.build-and-push.outputs.digest }} push-to-registry: true + diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2fe255ce..a7236515 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,6 +32,7 @@ jobs: publish_results: true - name: "Upload results" - uses: github/codeql-action/upload-sarif@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 with: sarif_file: results.sarif + diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index ff218fb2..47437128 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -40,7 +40,7 @@ jobs: actions: read steps: - name: Harden Runner - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3 with: egress-policy: audit @@ -89,3 +89,4 @@ jobs: pip-audit-report.html npm-audit.json retention-days: 14 + From 796f534e75da75c99fb76b33d4b846da4ba1d84b Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 16:10:29 -0400 Subject: [PATCH 5/9] fix(security): resolve osv-scanner path and bandit sarif dependencies --- .github/workflows/advanced-security.yml | 1 + .github/workflows/bandit.yml | 3 ++- .github/workflows/ci.yml | 1 + .github/workflows/codeql.yml | 7 ++++--- .github/workflows/container-scan.yml | 1 + .github/workflows/docs.yml | 1 + .github/workflows/nightly-fuzzing.yml | 1 + .github/workflows/osv-scanner.yml | 1 + .github/workflows/publish.yml | 1 + .github/workflows/scorecard.yml | 1 + .github/workflows/security.yml | 1 + 11 files changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/advanced-security.yml b/.github/workflows/advanced-security.yml index 704e4afd..64c77eef 100644 --- a/.github/workflows/advanced-security.yml +++ b/.github/workflows/advanced-security.yml @@ -28,3 +28,4 @@ jobs: fail-on-severity: high deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0 + diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index e3b68f6a..4451c7da 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: "Install Bandit" - run: pip install bandit + run: pip install bandit[sarif] - name: "Run Bandit" run: bandit -r . -f sarif -o bandit-results.sarif || true @@ -33,3 +33,4 @@ jobs: with: sarif_file: 'bandit-results.sarif' + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 410303ec..6c50fc57 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -290,3 +290,4 @@ jobs: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} shell: bash + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0c28ccce..0771eaf0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,13 +29,14 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + uses: github/codeql-action/init@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + uses: github/codeql-action/autobuild@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@6bb03452f061539696ff75efb888a30644b1dce9 # v3.28.8 + uses: github/codeql-action/analyze@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 + diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index fb8f87d4..c9b2325b 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -41,3 +41,4 @@ jobs: sarif_file: 'trivy-results.sarif' continue-on-error: true + diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ac6bade0..a0900cc2 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -58,3 +58,4 @@ jobs: id: deployment uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 + diff --git a/.github/workflows/nightly-fuzzing.yml b/.github/workflows/nightly-fuzzing.yml index 4ece5670..4df3dc88 100644 --- a/.github/workflows/nightly-fuzzing.yml +++ b/.github/workflows/nightly-fuzzing.yml @@ -50,3 +50,4 @@ jobs: path: .hypothesis/ retention-days: 7 + diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 8f48799c..32d9cee5 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -18,3 +18,4 @@ jobs: contents: read uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638" # v1.9.1 + diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fdbbb22b..c7e0fd26 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -177,3 +177,4 @@ jobs: subject-digest: ${{ steps.build-and-push.outputs.digest }} push-to-registry: true + diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a7236515..98ee6f22 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -36,3 +36,4 @@ jobs: with: sarif_file: results.sarif + diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 47437128..4ef62eea 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -90,3 +90,4 @@ jobs: npm-audit.json retention-days: 14 + From becb10a6ced01588ef2b41ae87b8f95433ee2302 Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 16:12:15 -0400 Subject: [PATCH 6/9] fix(security): remove redundant codeql.yml to resolve default setup conflict --- .github/workflows/codeql.yml | 42 ------------------------------------ 1 file changed, 42 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 0771eaf0..00000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: "CodeQL Analysis" - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - schedule: - - cron: '30 0 * * 1' - -permissions: read-all - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'python', 'javascript-typescript' ] - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Initialize CodeQL - uses: github/codeql-action/init@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8 - - From 783199a41067453a7dd3343c50c3316fede6ad38 Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 16:13:06 -0400 Subject: [PATCH 7/9] docs: add OpenSSF Scorecard badge to README --- README.md | 197 +++++++++++++++++++++++++++--------------------------- 1 file changed, 99 insertions(+), 98 deletions(-) diff --git a/README.md b/README.md index af9be4b0..fe91f47b 100644 --- a/README.md +++ b/README.md @@ -1,98 +1,99 @@ -# 🧠 coreason-runtime - -[![PyPI - Version](https://img.shields.io/pypi/v/coreason_runtime.svg)](https://pypi.org/project/coreason_runtime) -[![CI](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/ci.yml) -[![Documentation](https://img.shields.io/badge/docs-GitHub_Pages-blue.svg)](https://coreason-ai.github.io/coreason-runtime/) -[![Deploy Docs](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/docs.yml/badge.svg)](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/docs.yml) -[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/coreason_runtime.svg)](https://pypi.org/project/coreason_runtime) -[![Downloads](https://img.shields.io/pypi/dm/coreason_runtime.svg)](https://pypi.org/project/coreason_runtime/) -[![License: Prosperity 3.0](https://img.shields.io/badge/License-Prosperity_3.0-blue.svg)](https://prosperitylicense.com/versions/3.0.0) -[![SOTA: 2026](https://img.shields.io/badge/Architecture-Kinetic_Engine-purple.svg)](https://coreason.ai) -
-[![Code Coverage](https://img.shields.io/codecov/c/github/CoReason-AI/coreason-runtime/main.svg)](https://codecov.io/gh/CoReason-AI/coreason-runtime) -[![Checked with mypy](https://www.mypy-lang.org/static/mypy_badge.svg)](https://mypy-lang.org/) -[![Code style: ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) -[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit) -[![Security: Bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit) -
-[![uv](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/uv/main/assets/badge/v0.json)](https://github.com/astral-sh/uv) -[![Forks](https://img.shields.io/github/forks/CoReason-AI/coreason-runtime.svg)](https://github.com/CoReason-AI/coreason-runtime/network/members) -[![Powered By: AI](https://img.shields.io/badge/Powered%20By-CoReason%20AI-FF4500.svg)](https://coreason.ai) - -**The official zero-trust, high-throughput kinetic execution engine for the `coreason-manifest` ontology.** - -`coreason-runtime` is a State-of-the-Art (SOTA) 2026 cybernetic execution engine. It abandons legacy, fragile "chain-of-thought" LLM scripting in favor of deterministic **Active Inference**, Topological Data Analysis (TDA), and strictly bounded Markov Decision Processes. It is the definitive implementation of the CoReason Tripartite Doctrine for Tier-1 Kinetic Execution. - -If `coreason-manifest` is the DNA of your multi-agent topologies, `coreason-runtime` is the biological cell that safely executes them. - ---- - -## 🚀 The Paradigm Shift - -Modern enterprise AI cannot rely on unbounded `while True` loops and raw Python `exec()`. The `coreason-runtime` enforces mathematical rigor at every boundary: - -* **Deterministic Orchestration:** Built on **Temporal**, Swarm executions are durably serialized. If a GPU dies or a network request fails, the Swarm pauses, rehydrates, and resumes exactly where it left off. No amnesia. No ghost processes. -* **Zero-Trust WASM Sandboxing:** Kinetic actions (Tools) are executed inside isolated WebAssembly environments via **Extism**. Agents can execute complex IO without ever touching your host's root kernel or filesystem. -* **Epistemic Vector Ledger:** Native, zero-copy integration with **LanceDB**. The runtime automatically projects the agent's latent state into an embedded vector memory layer. -* **Embedded Medallion Analytics:** No need for heavy Spark clusters. Raw telemetry (SSE) is ingested via **dlt** and transformed into Silver/Gold analytical intelligence matrices using Rust-backed **Polars** directly inside the daemon. -* **Human-in-the-Loop (HITL) Webhooks:** When an agent calculates high Variational Free Energy (epistemic uncertainty), it durably suspends its thread and emits an Oracle Request, waiting safely for a human expert to inject resolving priors via API. -* **Bipartite Proposer-Verifier Protocol:** The runtime is physically isolated from local OS capability generation. To fabricate assets, the runtime strictly proposes topological models over air-gapped MCP boundaries to the remote Universal Asset Forge (`coreason-meta-engineering`). - ---- - -## ⚡ Installation - -We utilize `uv` for ultra-fast, deterministic resolution. Ensure you are running Python 3.14+. - -```bash -uv add coreason-runtime -``` - -*Note: For bare-metal enterprise deployment with SGLang GPU passthrough, refer to our [Docker Deployment Guide](docs/DEPLOYMENT.md).* - ------ - -## 🛠️ Quickstart - -The runtime is designed to be operated via its CLI or mounted as an API edge. - -### 1\. Run a Local Swarm - -To execute a mathematically verified agentic topology, simply pass the JSON/YAML manifest to the runtime: - -```bash -coreason run ./my_swarm_manifest.json -``` - -### 2\. Boot the API Edge & Telemetry Broker - -To boot the runtime as a continuous daemon (exposing the CRDT State Sync, Schema Projection, and Server-Sent Events telemetry): - -```bash -coreason serve --port 8000 -``` - -Your frontend IDE can now connect to `http://localhost:8000/api/v1/telemetry/stream` to visualize the active inference loops in real-time. - ------ - -## 🏗️ Architecture - -The runtime operates across five isolated computational boundaries under the CoReason Tripartite Doctrine: - -1. **The Orchestrator:** Temporal Python SDK running deterministic AST-scanned workflows. -2. **The Cognitive Engine:** SGLang routing for sub-millisecond constrained tensor inference. -3. **The Kinetic Sandbox:** Extism executing `.wasm` tools with zero-trust lattices. -4. **The Epistemic Store:** LanceDB & Polars managing long-term vectors and ETL metrics. -5. **The Universal Asset Forge:** A decoupled MCP channel connecting strictly to the `coreason-meta-engineering` Fabrication Lines to physically synthesize assets via the Bipartite generation pipeline. - -For a deep dive into the cybernetic loop, read the [Architecture Documentation](docs/architecture.md). - ------ - -## 📜 License - -This software is proprietary and dual-licensed under the **Prosperity Public License 3.0**. -Commercial use beyond a 30-day trial requires a separate commercial license. See the `LICENSE` file for details. - -Copyright (c) 2026 CoReason, Inc. +# 🧠 coreason-runtime + +[![PyPI - Version](https://img.shields.io/pypi/v/coreason_runtime.svg)](https://pypi.org/project/coreason_runtime) +[![CI](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/ci.yml) +[![Documentation](https://img.shields.io/badge/docs-GitHub_Pages-blue.svg)](https://coreason-ai.github.io/coreason-runtime/) +[![Deploy Docs](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/docs.yml/badge.svg)](https://github.com/CoReason-AI/coreason-runtime/actions/workflows/docs.yml) +[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/coreason_runtime.svg)](https://pypi.org/project/coreason_runtime) +[![Downloads](https://img.shields.io/pypi/dm/coreason_runtime.svg)](https://pypi.org/project/coreason_runtime/) +[![License: Prosperity 3.0](https://img.shields.io/badge/License-Prosperity_3.0-blue.svg)](https://prosperitylicense.com/versions/3.0.0) +[![SOTA: 2026](https://img.shields.io/badge/Architecture-Kinetic_Engine-purple.svg)](https://coreason.ai) +
+[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/CoReason-AI/=OpenSSF)](https://scorecard.dev/viewer/?uri=github.com/CoReason-AI/coreason-runtime) +[![Code Coverage](https://img.shields.io/codecov/c/github/CoReason-AI/coreason-runtime/main.svg)](https://codecov.io/gh/CoReason-AI/coreason-runtime) +[![Checked with mypy](https://www.mypy-lang.org/static/mypy_badge.svg)](https://mypy-lang.org/) +[![Code style: ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) +[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit) +[![Security: Bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit) +
+[![uv](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/uv/main/assets/badge/v0.json)](https://github.com/astral-sh/uv) +[![Forks](https://img.shields.io/github/forks/CoReason-AI/coreason-runtime.svg)](https://github.com/CoReason-AI/coreason-runtime/network/members) +[![Powered By: AI](https://img.shields.io/badge/Powered%20By-CoReason%20AI-FF4500.svg)](https://coreason.ai) + +**The official zero-trust, high-throughput kinetic execution engine for the `coreason-manifest` ontology.** + +`coreason-runtime` is a State-of-the-Art (SOTA) 2026 cybernetic execution engine. It abandons legacy, fragile "chain-of-thought" LLM scripting in favor of deterministic **Active Inference**, Topological Data Analysis (TDA), and strictly bounded Markov Decision Processes. It is the definitive implementation of the CoReason Tripartite Doctrine for Tier-1 Kinetic Execution. + +If `coreason-manifest` is the DNA of your multi-agent topologies, `coreason-runtime` is the biological cell that safely executes them. + +--- + +## 🚀 The Paradigm Shift + +Modern enterprise AI cannot rely on unbounded `while True` loops and raw Python `exec()`. The `coreason-runtime` enforces mathematical rigor at every boundary: + +* **Deterministic Orchestration:** Built on **Temporal**, Swarm executions are durably serialized. If a GPU dies or a network request fails, the Swarm pauses, rehydrates, and resumes exactly where it left off. No amnesia. No ghost processes. +* **Zero-Trust WASM Sandboxing:** Kinetic actions (Tools) are executed inside isolated WebAssembly environments via **Extism**. Agents can execute complex IO without ever touching your host's root kernel or filesystem. +* **Epistemic Vector Ledger:** Native, zero-copy integration with **LanceDB**. The runtime automatically projects the agent's latent state into an embedded vector memory layer. +* **Embedded Medallion Analytics:** No need for heavy Spark clusters. Raw telemetry (SSE) is ingested via **dlt** and transformed into Silver/Gold analytical intelligence matrices using Rust-backed **Polars** directly inside the daemon. +* **Human-in-the-Loop (HITL) Webhooks:** When an agent calculates high Variational Free Energy (epistemic uncertainty), it durably suspends its thread and emits an Oracle Request, waiting safely for a human expert to inject resolving priors via API. +* **Bipartite Proposer-Verifier Protocol:** The runtime is physically isolated from local OS capability generation. To fabricate assets, the runtime strictly proposes topological models over air-gapped MCP boundaries to the remote Universal Asset Forge (`coreason-meta-engineering`). + +--- + +## ⚡ Installation + +We utilize `uv` for ultra-fast, deterministic resolution. Ensure you are running Python 3.14+. + +```bash +uv add coreason-runtime +``` + +*Note: For bare-metal enterprise deployment with SGLang GPU passthrough, refer to our [Docker Deployment Guide](docs/DEPLOYMENT.md).* + +----- + +## 🛠️ Quickstart + +The runtime is designed to be operated via its CLI or mounted as an API edge. + +### 1\. Run a Local Swarm + +To execute a mathematically verified agentic topology, simply pass the JSON/YAML manifest to the runtime: + +```bash +coreason run ./my_swarm_manifest.json +``` + +### 2\. Boot the API Edge & Telemetry Broker + +To boot the runtime as a continuous daemon (exposing the CRDT State Sync, Schema Projection, and Server-Sent Events telemetry): + +```bash +coreason serve --port 8000 +``` + +Your frontend IDE can now connect to `http://localhost:8000/api/v1/telemetry/stream` to visualize the active inference loops in real-time. + +----- + +## 🏗️ Architecture + +The runtime operates across five isolated computational boundaries under the CoReason Tripartite Doctrine: + +1. **The Orchestrator:** Temporal Python SDK running deterministic AST-scanned workflows. +2. **The Cognitive Engine:** SGLang routing for sub-millisecond constrained tensor inference. +3. **The Kinetic Sandbox:** Extism executing `.wasm` tools with zero-trust lattices. +4. **The Epistemic Store:** LanceDB & Polars managing long-term vectors and ETL metrics. +5. **The Universal Asset Forge:** A decoupled MCP channel connecting strictly to the `coreason-meta-engineering` Fabrication Lines to physically synthesize assets via the Bipartite generation pipeline. + +For a deep dive into the cybernetic loop, read the [Architecture Documentation](docs/architecture.md). + +----- + +## 📜 License + +This software is proprietary and dual-licensed under the **Prosperity Public License 3.0**. +Commercial use beyond a 30-day trial requires a separate commercial license. See the `LICENSE` file for details. + +Copyright (c) 2026 CoReason, Inc. From 51440a538b5c84868e4e396bc4aca5b5e0009e59 Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 16:16:57 -0400 Subject: [PATCH 8/9] feat(security): integrate Trivy IaC and TruffleHog secret scanning workflows --- .github/workflows/trivy.yml | 37 ++++++++++++++++++++++++++++++++ .github/workflows/trufflehog.yml | 31 ++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 .github/workflows/trivy.yml create mode 100644 .github/workflows/trufflehog.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..af8fc6ff --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,37 @@ +name: Trivy Security Scan + +on: + push: + branches: [ "main", "coreason-develop", "feat/add-security-scans" ] + pull_request: + branches: [ "main", "coreason-develop" ] + +permissions: read-all + +jobs: + trivy: + name: Trivy Vulnerability Scanner + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.35.5 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml new file mode 100644 index 00000000..18af70ae --- /dev/null +++ b/.github/workflows/trufflehog.yml @@ -0,0 +1,31 @@ +name: TruffleHog Secret Scan + +on: + push: + branches: [ "main", "coreason-develop", "feat/add-security-scans" ] + pull_request: + branches: [ "main", "coreason-develop" ] + +permissions: read-all + +jobs: + trufflehog: + name: TruffleHog Secret Scanner + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false + + - name: TruffleHog OSS + uses: trufflesecurity/trufflehog@0fa069c12f0c7baf431041cd1e564a9c5058846c + with: + path: ./ + base: "${{ github.event.repository.default_branch }}" + head: HEAD + extra_args: --debug --only-verified From 0e6bb15e1a1e65e52b4a78c59a2b0baa9e41644c Mon Sep 17 00:00:00 2001 From: Gowtham Rao MD PhD Date: Fri, 15 May 2026 16:18:33 -0400 Subject: [PATCH 9/9] feat(security): integrate OWASP ZAP DAST scan workflow --- .github/workflows/zap-dast.yml | 38 ++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/zap-dast.yml diff --git a/.github/workflows/zap-dast.yml b/.github/workflows/zap-dast.yml new file mode 100644 index 00000000..7ef7bb4d --- /dev/null +++ b/.github/workflows/zap-dast.yml @@ -0,0 +1,38 @@ +name: OWASP ZAP DAST Scan + +on: + push: + branches: [ "main", "coreason-develop", "feat/add-security-scans" ] + pull_request: + branches: [ "main", "coreason-develop" ] + workflow_dispatch: + +permissions: read-all + +jobs: + zap_scan: + name: OWASP ZAP Baseline Scan + runs-on: ubuntu-latest + permissions: + contents: read + issues: write + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + # Note: In a real environment, you would start your application here + # e.g., docker-compose up -d + # For now, we will scan a placeholder/demo target or skip if no target is running. + # To fully enable, replace target with your staging URL. + + - name: ZAP Baseline Scan + uses: zaproxy/action-baseline@f948cb8d66e25e330a23e64e3fc72a5c0018b16d # master + continue-on-error: true # DAST scans can be noisy, so we prevent failing the build initially + with: + target: 'https://coreason.ai/' # Placeholder target for the baseline + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a'