From 7327c7734fee145d3bcde8b90d78141d085c398a Mon Sep 17 00:00:00 2001 From: Rahul Devikar Date: Mon, 9 Feb 2026 20:27:15 -0800 Subject: [PATCH 1/2] Add security workflows: pre-commit hooks, dependency review, CodeQL for Python --- .github/workflows/codeql.yml | 44 ++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 24 +++++++++++++ .pre-commit-config.yaml | 45 +++++++++++++++++++++++++ 3 files changed, 113 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..8d89f21b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +# CodeQL Analysis for Python +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Run every Monday at 9:00 AM UTC + - cron: '0 9 * * 1' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze Python + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + queries: +security-extended,security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:python" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..9ae691e4 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,24 @@ +# Dependency Review - blocks PRs that introduce known-vulnerable dependencies +name: Dependency Review + +on: + pull_request: + branches: [main] + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: high + comment-summary-in-pr: always + deny-licenses: GPL-3.0, AGPL-3.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..0815455b --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,45 @@ +# Pre-commit hooks for Agent365-python +# Install: pip install pre-commit && pre-commit install +# Run manually: pre-commit run --all-files + +repos: + # Gitleaks - detect secrets in code + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.4 + hooks: + - id: gitleaks + + # Whitespace fixes + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + - id: mixed-line-ending + args: [--fix=lf] + - id: check-merge-conflict + - id: check-yaml + args: [--allow-multiple-documents] + - id: check-json + - id: check-toml + - id: check-ast + + # Python specific + - repo: https://github.com/psf/black + rev: 24.4.2 + hooks: + - id: black + language_version: python3 + + - repo: https://github.com/pycqa/isort + rev: 5.13.2 + hooks: + - id: isort + args: ["--profile", "black"] + + - repo: https://github.com/pycqa/flake8 + rev: 7.0.0 + hooks: + - id: flake8 + args: [--max-line-length=120] From bf83d08588da4e6dc6317fa9ec964e832ec246c5 Mon Sep 17 00:00:00 2001 From: Rahul Devikar Date: Mon, 9 Feb 2026 20:39:23 -0800 Subject: [PATCH 2/2] Add security workflows: pre-commit hooks, dependency review --- .github/workflows/codeql.yml | 44 ------------------------- .github/workflows/dependency-review.yml | 2 +- .pre-commit-config.yaml | 24 ++++---------- 3 files changed, 8 insertions(+), 62 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 8d89f21b..00000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,44 +0,0 @@ -# CodeQL Analysis for Python -name: CodeQL - -on: - push: - branches: [main] - pull_request: - branches: [main] - schedule: - # Run every Monday at 9:00 AM UTC - - cron: '0 9 * * 1' - -permissions: - actions: read - contents: read - security-events: write - -jobs: - analyze: - name: Analyze Python - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup Python - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: python - queries: +security-extended,security-and-quality - - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:python" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9ae691e4..ab3c5558 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,4 +21,4 @@ jobs: with: fail-on-severity: high comment-summary-in-pr: always - deny-licenses: GPL-3.0, AGPL-3.0 + deny-licenses: GPL-3.0-only, AGPL-3.0-only diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0815455b..707af6fb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -25,21 +25,11 @@ repos: - id: check-toml - id: check-ast - # Python specific - - repo: https://github.com/psf/black - rev: 24.4.2 + # Python specific - using Ruff (matches CI settings) + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: v0.4.4 hooks: - - id: black - language_version: python3 - - - repo: https://github.com/pycqa/isort - rev: 5.13.2 - hooks: - - id: isort - args: ["--profile", "black"] - - - repo: https://github.com/pycqa/flake8 - rev: 7.0.0 - hooks: - - id: flake8 - args: [--max-line-length=120] + - id: ruff + args: [--fix, --line-length=100] + - id: ruff-format + args: [--line-length=100]