From 97016202fcfab8340eee570eeffd174a678eb7e4 Mon Sep 17 00:00:00 2001 From: Ashutosh Kumar <37182127+ashu-tosh-kumar@users.noreply.github.com> Date: Tue, 30 Jun 2026 02:37:58 +0530 Subject: [PATCH] chore(security): standardize SDLC security baseline Align repo with the standardized security baseline across all public projects: - Add Dependency Review (PR gate blocking known-vulnerable deps). - Add OpenSSF Scorecard (supply-chain posture, reports to Security tab). - Add Bandit Python SAST (Python repos only; replaces OSSAR coverage). - Dependabot: add github-actions ecosystem + grouped updates. - Remove redundant/dead workflows (OSSAR, disabled advanced CodeQL, gitleaks/npm-audit) now covered by CodeQL default setup, native secret scanning + push protection, and Dependabot. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 24 +++++++---- .github/workflows/bandit.yml | 37 +++++++++++++++++ .github/workflows/dependency-review.yml | 22 ++++++++++ .github/workflows/ossar.yml | 55 ------------------------- .github/workflows/scorecard.yml | 47 +++++++++++++++++++++ 5 files changed, 123 insertions(+), 62 deletions(-) create mode 100644 .github/workflows/bandit.yml create mode 100644 .github/workflows/dependency-review.yml delete mode 100644 .github/workflows/ossar.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 91abb11..c6a72a8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,21 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - +# Dependabot: version updates + security updates. +# - pip ecosystem covers Poetry (pyproject.toml / poetry.lock). +# - github-actions keeps workflow action versions current (supply-chain hardening). +# Updates are grouped to minimize PR noise. version: 2 updates: - - package-ecosystem: "pip" # See documentation for possible values - directory: "/" # Location of package manifests + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + groups: + python-dependencies: + patterns: ["*"] + + - package-ecosystem: "github-actions" + directory: "/" schedule: interval: "weekly" + groups: + github-actions: + patterns: ["*"] diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 0000000..047af34 --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,37 @@ +# Bandit: Python-specific static security analysis (hardcoded secrets, shell +# injection, unsafe deserialization, etc.). Complements CodeQL; results are +# reported to the Security tab via SARIF. Non-blocking (--exit-zero); CodeQL is +# the gate. Replaces the Python coverage previously provided by OSSAR. +name: Bandit + +on: + push: + branches: ["development"] + pull_request: + branches: ["development"] + schedule: + - cron: "30 7 * * 2" + +permissions: + contents: read + +jobs: + bandit: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.13" + - name: Install Bandit + run: pip install "bandit[sarif]" + - name: Run Bandit + run: bandit -r . -x ./tests,./.venv,./venv -f sarif -o bandit.sarif --exit-zero + - name: Upload SARIF to code-scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: bandit.sarif diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..050fcc6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Scans dependency manifest changes on PRs and blocks pull requests that +# introduce known-vulnerable dependencies. Native GitHub action, no external service. +name: Dependency Review + +on: + pull_request: + branches: ["development"] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: high + comment-summary-in-pr: on-failure diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml deleted file mode 100644 index 5147a2a..0000000 --- a/.github/workflows/ossar.yml +++ /dev/null @@ -1,55 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates a collection of open source static analysis tools -# with GitHub code scanning. For documentation, or to provide feedback, visit -# https://github.com/github/ossar-action -name: OSSAR - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '21 8 * * 2' - -permissions: - contents: read - -jobs: - OSSAR-Scan: - # OSSAR runs on windows-latest. - # ubuntu-latest and macos-latest support coming soon - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: windows-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Ensure a compatible version of dotnet is installed. - # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. - # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. - # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. - # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: - # - name: Install .NET - # uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: '3.1.x' - - # Run open source static analysis tools - - name: Run OSSAR - uses: github/ossar-action@v1 - id: ossar - - # Upload results to the Security tab - - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..43eba39 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +# OpenSSF Scorecard: measures supply-chain security posture (branch protection, +# pinned dependencies, token permissions, etc.) and reports to the Security tab. +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: "20 7 * * 2" + push: + branches: ["development"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge. + id-token: write + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif