-
-
Notifications
You must be signed in to change notification settings - Fork 0
chore(security): standardize SDLC security baseline #21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: development
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,21 @@ | ||
| # To get started with Dependabot version updates, you'll need to specify which | ||
| # package ecosystems to update and where the package manifests are located. | ||
| # Please see the documentation for all configuration options: | ||
| # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates | ||
|
|
||
| # Dependabot: version updates + security updates. | ||
| # - pip ecosystem covers Poetry (pyproject.toml / poetry.lock). | ||
| # - github-actions keeps workflow action versions current (supply-chain hardening). | ||
| # Updates are grouped to minimize PR noise. | ||
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "pip" # See documentation for possible values | ||
| directory: "/" # Location of package manifests | ||
| - package-ecosystem: "pip" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| groups: | ||
| python-dependencies: | ||
| patterns: ["*"] | ||
|
|
||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| groups: | ||
| github-actions: | ||
| patterns: ["*"] | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Bandit: Python-specific static security analysis (hardcoded secrets, shell | ||
| # injection, unsafe deserialization, etc.). Complements CodeQL; results are | ||
| # reported to the Security tab via SARIF. Non-blocking (--exit-zero); CodeQL is | ||
| # the gate. Replaces the Python coverage previously provided by OSSAR. | ||
| name: Bandit | ||
|
|
||
| on: | ||
| push: | ||
| branches: ["development"] | ||
| pull_request: | ||
| branches: ["development"] | ||
| schedule: | ||
| - cron: "30 7 * * 2" | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| bandit: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.13" | ||
| - name: Install Bandit | ||
| run: pip install "bandit[sarif]" | ||
| - name: Run Bandit | ||
| run: bandit -r . -x ./tests,./.venv,./venv -f sarif -o bandit.sarif --exit-zero | ||
| - name: Upload SARIF to code-scanning | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: bandit.sarif |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Scans dependency manifest changes on PRs and blocks pull requests that | ||
| # introduce known-vulnerable dependencies. Native GitHub action, no external service. | ||
| name: Dependency Review | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: ["development"] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| dependency-review: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Dependency Review | ||
| uses: actions/dependency-review-action@v4 | ||
| with: | ||
| fail-on-severity: high | ||
| comment-summary-in-pr: on-failure |
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # OpenSSF Scorecard: measures supply-chain security posture (branch protection, | ||
| # pinned dependencies, token permissions, etc.) and reports to the Security tab. | ||
| name: Scorecard supply-chain security | ||
|
|
||
| on: | ||
| branch_protection_rule: | ||
| schedule: | ||
| - cron: "20 7 * * 2" | ||
| push: | ||
| branches: ["development"] | ||
|
|
||
| # Declare default permissions as read only. | ||
| permissions: read-all | ||
|
Check warning on line 13 in .github/workflows/scorecard.yml
|
||
|
|
||
| jobs: | ||
| analysis: | ||
| name: Scorecard analysis | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| # Needed to upload the results to code-scanning dashboard. | ||
| security-events: write | ||
| # Needed to publish results and get a badge. | ||
| id-token: write | ||
|
Comment on lines
+19
to
+23
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 1. Scorecard checkout permission missing In .github/workflows/scorecard.yml and .github/workflows/bandit.yml, the analysis and bandit jobs set job-level permissions without contents: read, which can prevent actions/checkout from fetching the repository and stop Scorecard/Bandit from running. This occurs because job-level permissions override the workflow-level defaults (including read-all / contents: read). Agent Prompt
|
||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: "Run analysis" | ||
| uses: ossf/scorecard-action@v2.4.0 | ||
|
Check failure on line 31 in .github/workflows/scorecard.yml
|
||
| with: | ||
| results_file: results.sarif | ||
| results_format: sarif | ||
| publish_results: true | ||
|
|
||
| - name: "Upload artifact" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: SARIF file | ||
| path: results.sarif | ||
| retention-days: 5 | ||
|
|
||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: results.sarif | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dependabot has a dedicated package ecosystem for Poetry. Since this project uses Poetry (
pyproject.tomlandpoetry.lock), you should usepoetryinstead ofpipas the package ecosystem. This ensures Dependabot can correctly parse and update your Poetry dependencies and lockfile.