Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 17 additions & 7 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,11 +1,21 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

# Dependabot: version updates + security updates.
# - pip ecosystem covers Poetry (pyproject.toml / poetry.lock).
# - github-actions keeps workflow action versions current (supply-chain hardening).
# Updates are grouped to minimize PR noise.
version: 2
updates:
- package-ecosystem: "pip" # See documentation for possible values
directory: "/" # Location of package manifests
- package-ecosystem: "pip"
Comment on lines +2 to +7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Dependabot has a dedicated package ecosystem for Poetry. Since this project uses Poetry (pyproject.toml and poetry.lock), you should use poetry instead of pip as the package ecosystem. This ensures Dependabot can correctly parse and update your Poetry dependencies and lockfile.

# - poetry ecosystem covers Poetry (pyproject.toml / poetry.lock).
# - github-actions keeps workflow action versions current (supply-chain hardening).
# Updates are grouped to minimize PR noise.
version: 2
updates:
  - package-ecosystem: "poetry"

directory: "/"
schedule:
interval: "weekly"
groups:
python-dependencies:
patterns: ["*"]

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
groups:
github-actions:
patterns: ["*"]
37 changes: 37 additions & 0 deletions .github/workflows/bandit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Bandit: Python-specific static security analysis (hardcoded secrets, shell
# injection, unsafe deserialization, etc.). Complements CodeQL; results are
# reported to the Security tab via SARIF. Non-blocking (--exit-zero); CodeQL is
# the gate. Replaces the Python coverage previously provided by OSSAR.
name: Bandit

on:
push:
branches: ["development"]
pull_request:
branches: ["development"]
schedule:
- cron: "30 7 * * 2"

permissions:
contents: read

jobs:
bandit:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.13"
- name: Install Bandit
run: pip install "bandit[sarif]"
- name: Run Bandit
run: bandit -r . -x ./tests,./.venv,./venv -f sarif -o bandit.sarif --exit-zero
- name: Upload SARIF to code-scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: bandit.sarif
22 changes: 22 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Scans dependency manifest changes on PRs and blocks pull requests that
# introduce known-vulnerable dependencies. Native GitHub action, no external service.
name: Dependency Review

on:
pull_request:
branches: ["development"]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
comment-summary-in-pr: on-failure
55 changes: 0 additions & 55 deletions .github/workflows/ossar.yml

This file was deleted.

47 changes: 47 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# OpenSSF Scorecard: measures supply-chain security posture (branch protection,
# pinned dependencies, token permissions, etc.) and reports to the Security tab.
name: Scorecard supply-chain security

on:
branch_protection_rule:
schedule:
- cron: "20 7 * * 2"
push:
branches: ["development"]

# Declare default permissions as read only.
permissions: read-all

Check warning on line 13 in .github/workflows/scorecard.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read").

See more on https://sonarcloud.io/project/issues?id=ashu-tosh-kumar_command-storage&issues=AZ8VNlKm2YJWSVGIaU4U&open=AZ8VNlKm2YJWSVGIaU4U&pullRequest=21

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge.
id-token: write
Comment on lines +19 to +23

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Scorecard checkout permission missing 🐞 Bug ☼ Reliability

In .github/workflows/scorecard.yml and .github/workflows/bandit.yml, the analysis and bandit
jobs set job-level permissions without contents: read, which can prevent actions/checkout from
fetching the repository and stop Scorecard/Bandit from running. This occurs because job-level
permissions override the workflow-level defaults (including read-all / contents: read).
Agent Prompt
## Issue description
The `analysis` job in the Scorecard workflow and the `bandit` job in the Bandit workflow define job-level permissions but omit `contents: read`, which can prevent `actions/checkout` from accessing the repository and cause the jobs to fail.

## Issue Context
Both workflows set permissive workflow-level defaults (`read-all` or explicit `contents: read`), but job-level `permissions` blocks override those defaults; since the jobs still run `actions/checkout@v4`, they need `contents: read` explicitly when job-level permissions are used.

## Fix Focus Areas
- .github/workflows/scorecard.yml[13-28]
- .github/workflows/bandit.yml[15-26]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@v2.4.0

Check failure on line 31 in .github/workflows/scorecard.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use full commit SHA hash for this dependency.

See more on https://sonarcloud.io/project/issues?id=ashu-tosh-kumar_command-storage&issues=AZ8VNlKm2YJWSVGIaU4V&open=AZ8VNlKm2YJWSVGIaU4V&pullRequest=21
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: "Upload artifact"
uses: actions/upload-artifact@v4
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Loading