fix(audit): remediate F-grade audit findings — metrics, security, tests, CI#207
Merged
Conversation
mvillmow
force-pushed
the
35-auto-impl
branch
6 times, most recently
from
fc4cf78 to
0174f70
Compare
…ts, CI Closes #35 - exporter/exporter.py: fix mutable default arg (labels={} → labels=None) - exporter/exporter.py: emit each metric's # TYPE line exactly once; add # HELP lines for all metrics - dashboards/nats-events.json: replace all gnatsd_varz_* with actual exporter metric names (nats_in_msgs_total, nats_out_msgs_total, nats_in_bytes_total, nats_out_bytes_total, nats_jetstream_bytes, nats_connections); rename "Active Subscriptions" → "Active Connections" - docker-compose.yml: externalize GF_SECURITY_ADMIN_PASSWORD, AGAMEMNON_URL, NESTOR_URL, NATS_URL via env-var substitution - docker-compose.yml: add health checks (wget) to all five services - docker-compose.yml: add resource limits (memory + cpus) to all services - docker-compose.yml: remove host-level port exposure for loki, promtail, argus-exporter (internal services use argus bridge network) - docker-compose.yml: add GF_ANALYTICS_REPORTING_ENABLED=false to Grafana - .env.example: update default password from admin to changeme; document all vars - justfile: fix GRAFANA_PORT 3000 → 3001; GRAFANA_AUTH reads GRAFANA_ADMIN_PASSWORD - tests/__init__.py, tests/test_exporter.py: 26 unit tests covering _fetch(), _health_check(), collect() output correctness, no-duplicate # TYPE invariant, # HELP presence, and HTTP handler responses - pixi.toml: add test/lint/security feature environments and tasks - .github/workflows/ci.yml: add test, lint, security jobs; expand branch trigger to feature/**, fix/**, chore/** branches - .pre-commit-config.yaml: yamllint, ruff, bandit hooks - .editorconfig: UTF-8 LF, 4-space Python, 2-space YAML/JSON - .gitignore: add __pycache__/, *.pyc, .pytest_cache/, .ruff_cache/ - CHANGELOG.md: initial changelog in Keep a Changelog format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…; regenerate pixi.lock The PR inserted new jobs between atlas-dashboard's name: line and its runs-on:/steps: block, leaving atlas-dashboard as an invalid empty job. The Go build/test steps were also accidentally placed in the lint: job. Fixes: - Restore runs-on: and all Go steps to atlas-dashboard job - Remove duplicate Go steps from lint: job (Python/ruff only) - Regenerate pixi.lock with pixi v0.67.2 for new test/lint/security envs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The PR appended a duplicate [Unreleased] section to CHANGELOG.md which caused MD024 (duplicate heading), MD022 (missing blank lines around headings), and MD013 (line too long) markdownlint errors. Remove the duplicate section. Also regenerate pixi.lock to pass pixi-check --locked validation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- .gitignore: add secrets/ entry - .gitleaks.toml: add htpasswd rule and example allowlist; fix path pattern - docker-compose.yml: bind all host ports to 127.0.0.1; add prometheus host port - exporter/Dockerfile: use groupadd/useradd -u 1000; USER after COPY - exporter/exporter.py: fix gauge metric names (remove _total, add _seconds suffix) - justfile: rename GRAFANA_ADMIN_PASSWORD→GF_ADMIN_PASSWORD, remove GRAFANA_AUTH - pixi.toml: consolidate to single lint env with pip-audit; remove unused tasks - pixi.lock: regenerate to match updated pixi.toml - scripts/import-dashboards.sh: use GF_ADMIN_PASSWORD - tests/test_alertmanager_config.py: fix :latest check to accept pinned versions - tests/test_configs.py: fix loki-internal network name, port tests, add ALLOWED_BINDINGS - tests/test_exporter.py: update scrape_timestamp metric name to _seconds suffix Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #35. Remediates all high-priority findings from the repo-analyze-strict audit that gave ProjectArgus an F (52%).
gnatsd_varz_*metric names innats-events.jsondashboard to match what the exporter actually emits (nats_in_msgs_total,nats_out_msgs_total,nats_in_bytes_total,nats_out_bytes_total,nats_jetstream_bytes,nats_connections). Fixed duplicate# TYPElines and mutable default argument inexporter.py; added# HELPlines for all metrics.GF_SECURITY_ADMIN_PASSWORD,AGAMEMNON_URL,NESTOR_URL,NATS_URLto env vars. Added health checks and resource limits to all five Docker Compose services. Removed host-port exposure for internal services (loki, promtail, argus-exporter). Fixedjustfileport mismatch (3000 → 3001) and hardcodedadmin:admincredential.exporter.pycovering_fetch(),_health_check(),collect()output, no-duplicate# TYPEinvariant,# HELPpresence, and HTTP handler responses. Addedpytestpixi feature environment andtesttask.test,lint, andsecurity(bandit) CI jobs. Expanded branch trigger tofeature/**,fix/**,chore/**. Added.pre-commit-config.yaml,.editorconfig,CHANGELOG.md, and Python cache entries to.gitignore.Test plan
python3 -m pytest tests/ -v— 26 passed, 0 failednats-events.jsonverified against exporter output (nats_*namespace, nognatsd_varz_*)docker compose config --quietpasses (no env-var substitution errors)# TYPEduplicate test passes — each metric declared exactly once percollect()call🤖 Generated with Claude Code