Skip to content

chore(security): standardize SDLC security baseline#21

Open
ashu-tosh-kumar wants to merge 1 commit into
developmentfrom
chore/security-baseline
Open

chore(security): standardize SDLC security baseline#21
ashu-tosh-kumar wants to merge 1 commit into
developmentfrom
chore/security-baseline

Conversation

@ashu-tosh-kumar

Copy link
Copy Markdown
Owner

Standardizes this repo against the security baseline shared across all public projects.

Added

  • Dependency Review — PR gate that blocks pull requests introducing known-vulnerable dependencies.
  • OpenSSF Scorecard — supply-chain posture, results in the Security tab.
  • Bandit — Python-specific SAST (complements CodeQL; replaces the Python coverage OSSAR used to provide).
  • Dependabot — added github-actions ecosystem + grouped weekly updates.

Removed

  • .github/workflows/ossar.yml

These were redundant with CodeQL default setup (live), native secret scanning + push protection, and Dependabot — all enabled at the repo level.

Coverage after this PR

Pillar Tool
SAST CodeQL default setup + Bandit
SCA Dependabot alerts/updates + Dependency Review
Secrets GitHub secret scanning + push protection
Supply chain OpenSSF Scorecard + Dependabot (actions)

🤖 Generated with Claude Code

Align repo with the standardized security baseline across all public
projects:

- Add Dependency Review (PR gate blocking known-vulnerable deps).
- Add OpenSSF Scorecard (supply-chain posture, reports to Security tab).
- Add Bandit Python SAST (Python repos only; replaces OSSAR coverage).
- Dependabot: add github-actions ecosystem + grouped updates.
- Remove redundant/dead workflows (OSSAR, disabled advanced CodeQL,
  gitleaks/npm-audit) now covered by CodeQL default setup, native
  secret scanning + push protection, and Dependabot.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Dependabot configuration in .github/dependabot.yml to group Python dependencies and add tracking for GitHub Actions updates. The reviewer correctly pointed out that since the project uses Poetry, the package ecosystem should be configured as poetry instead of pip to ensure Dependabot can properly parse and update the dependencies and lockfile.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .github/dependabot.yml
Comment on lines +2 to +7
# - pip ecosystem covers Poetry (pyproject.toml / poetry.lock).
# - github-actions keeps workflow action versions current (supply-chain hardening).
# Updates are grouped to minimize PR noise.
version: 2
updates:
- package-ecosystem: "pip" # See documentation for possible values
directory: "/" # Location of package manifests
- package-ecosystem: "pip"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Dependabot has a dedicated package ecosystem for Poetry. Since this project uses Poetry (pyproject.toml and poetry.lock), you should use poetry instead of pip as the package ecosystem. This ensures Dependabot can correctly parse and update your Poetry dependencies and lockfile.

# - poetry ecosystem covers Poetry (pyproject.toml / poetry.lock).
# - github-actions keeps workflow action versions current (supply-chain hardening).
# Updates are grouped to minimize PR noise.
version: 2
updates:
  - package-ecosystem: "poetry"

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Standardize SDLC security baseline with GitHub-native security workflows

✨ Enhancement ⚙️ Configuration changes 🕐 20-40 Minutes

Grey Divider

AI Description

• Add GitHub Actions security workflows for dependency review, Bandit SAST, and OpenSSF Scorecard.
• Expand Dependabot to group weekly pip and GitHub Actions updates.
• Remove redundant OSSAR code-scanning workflow now covered by baseline tooling.
Diagram

graph TD
  A["GitHub events (push/PR/schedule)"] --> B["Dependency Review"] --> C["PR gate (fail high)"]
  A --> D["Bandit scan"] --> E["Upload SARIF"] --> F["Security tab"]
  A --> G["OpenSSF Scorecard"] --> E
  H["Dependabot"] --> I["Update PRs (grouped)"] --> B
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Centralize via reusable workflows
  • ➕ Keeps security baseline consistent across repos with one source of truth
  • ➕ Reduces per-repo YAML drift and maintenance overhead
  • ➖ Requires a shared workflow repository and versioning strategy
  • ➖ Slightly harder to customize repo-specific exclusions/branches
2. Make Bandit blocking on PRs
  • ➕ Forces fixes before merge for Bandit-detectable issues
  • ➕ Improves security signal by preventing known unsafe patterns from landing
  • ➖ Higher risk of developer friction/false positives without careful rule tuning
  • ➖ May duplicate some CodeQL coverage depending on ruleset
3. Rely only on GitHub Advanced Security defaults (CodeQL + Dependency Review)
  • ➕ Fewer workflows to maintain
  • ➕ Leverages GitHub-managed defaults and updates
  • ➖ Loses Bandit’s Python-specific checks and Scorecard’s posture reporting
  • ➖ Reduced supply-chain visibility in the Security tab

Recommendation: The PR’s approach is a solid baseline: Dependency Review provides a clear PR gate, while Bandit and Scorecard add SARIF-visible signal without over-blocking. If this baseline is meant to be uniform across many repos, consider migrating these workflows to reusable workflows later; otherwise, keeping them local is simplest.

Files changed (4) +123 / -7

Enhancement (3) +106 / -0
bandit.ymlAdd Bandit SARIF security scan workflow +37/-0

Add Bandit SARIF security scan workflow

• Introduces a Bandit GitHub Actions workflow on push/PR (development) and a weekly schedule. Runs Bandit with SARIF output and uploads results to GitHub code scanning as a non-blocking check.

.github/workflows/bandit.yml

dependency-review.ymlAdd Dependency Review PR gate for vulnerable dependency changes +22/-0

Add Dependency Review PR gate for vulnerable dependency changes

• Adds a pull_request workflow that runs GitHub's dependency-review-action. Configures the check to fail on high severity and comment a summary on failure.

.github/workflows/dependency-review.yml

scorecard.ymlAdd OpenSSF Scorecard workflow publishing results to Security tab +47/-0

Add OpenSSF Scorecard workflow publishing results to Security tab

• Adds an OpenSSF Scorecard workflow triggered by branch protection changes, pushes to development, and a weekly schedule. Publishes SARIF to code scanning and uploads the SARIF artifact with short retention.

.github/workflows/scorecard.yml

Other (1) +17 / -7
dependabot.ymlGroup weekly Dependabot updates for pip and GitHub Actions +17/-7

Group weekly Dependabot updates for pip and GitHub Actions

• Refactors Dependabot config to run weekly and group all pip (Poetry) dependency updates into a single PR. Adds a github-actions ecosystem entry with weekly grouped updates to keep workflow action versions current.

.github/dependabot.yml

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📜 Skill insights (0)

Grey Divider


Action required

1. Scorecard checkout permission missing 🐞 Bug ☼ Reliability
Description
In .github/workflows/scorecard.yml and .github/workflows/bandit.yml, the analysis and bandit
jobs set job-level permissions without contents: read, which can prevent actions/checkout from
fetching the repository and stop Scorecard/Bandit from running. This occurs because job-level
permissions override the workflow-level defaults (including read-all / contents: read).
Code

.github/workflows/scorecard.yml[R19-23]

+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge.
+      id-token: write
Evidence
In .github/workflows/scorecard.yml, the workflow declares permissions: read-all, but the
analysis job overrides permissions to include only security-events and id-token while still
using actions/checkout@v4, which requires contents: read to access the repository. Similarly, in
.github/workflows/bandit.yml, the workflow sets contents: read at the workflow level, yet the
bandit job specifies only security-events: write and still runs actions/checkout@v4,
demonstrating that the job-level override can remove repository read access needed for checkout and
thereby break the scan.

.github/workflows/scorecard.yml[13-28]
.github/workflows/bandit.yml[15-26]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The `analysis` job in the Scorecard workflow and the `bandit` job in the Bandit workflow define job-level permissions but omit `contents: read`, which can prevent `actions/checkout` from accessing the repository and cause the jobs to fail.

## Issue Context
Both workflows set permissive workflow-level defaults (`read-all` or explicit `contents: read`), but job-level `permissions` blocks override those defaults; since the jobs still run `actions/checkout@v4`, they need `contents: read` explicitly when job-level permissions are used.

## Fix Focus Areas
- .github/workflows/scorecard.yml[13-28]
- .github/workflows/bandit.yml[15-26]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. Dependency review PR comment blocked 🐞 Bug ☼ Reliability
Description
.github/workflows/dependency-review.yml requests comment-summary-in-pr: on-failure but does not
grant pull-requests: write, so the action likely cannot post the PR summary comment. This reduces
visibility of why a dependency review failed.
Code

.github/workflows/dependency-review.yml[R9-22]

+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: on-failure
Evidence
The workflow permissions are limited to contents: read, while the dependency review step is
configured to comment on the PR on failure.

.github/workflows/dependency-review.yml[9-22]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Workflow enables PR commenting (`comment-summary-in-pr: on-failure`) but permissions only include `contents: read`, which likely prevents posting the comment.

## Issue Context
The job uses `actions/dependency-review-action@v4` with PR commenting enabled.

## Fix Focus Areas
- .github/workflows/dependency-review.yml[9-22]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

3. Bandit version not pinned 🐞 Bug ☼ Reliability
Description
The Bandit workflow installs bandit[sarif] without a version pin, making results and CI behavior
non-reproducible over time as new releases land. This can introduce unexpected scan changes or
breakage unrelated to repo changes.
Code

.github/workflows/bandit.yml[R30-31]

+      - name: Install Bandit
+        run: pip install "bandit[sarif]"
Evidence
The workflow installs Bandit via pip without specifying a version, so the installed artifact can
change between runs.

.github/workflows/bandit.yml[30-33]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`pip install "bandit[sarif]"` pulls the latest Bandit at runtime, which can change scan behavior or break the workflow unexpectedly.

## Issue Context
This workflow is intended to run continuously (push/PR/schedule), so determinism matters.

## Fix Focus Areas
- .github/workflows/bandit.yml[30-33]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +19 to +23
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge.
id-token: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Scorecard checkout permission missing 🐞 Bug ☼ Reliability

In .github/workflows/scorecard.yml and .github/workflows/bandit.yml, the analysis and bandit
jobs set job-level permissions without contents: read, which can prevent actions/checkout from
fetching the repository and stop Scorecard/Bandit from running. This occurs because job-level
permissions override the workflow-level defaults (including read-all / contents: read).
Agent Prompt
## Issue description
The `analysis` job in the Scorecard workflow and the `bandit` job in the Bandit workflow define job-level permissions but omit `contents: read`, which can prevent `actions/checkout` from accessing the repository and cause the jobs to fail.

## Issue Context
Both workflows set permissive workflow-level defaults (`read-all` or explicit `contents: read`), but job-level `permissions` blocks override those defaults; since the jobs still run `actions/checkout@v4`, they need `contents: read` explicitly when job-level permissions are used.

## Fix Focus Areas
- .github/workflows/scorecard.yml[13-28]
- .github/workflows/bandit.yml[15-26]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants