From 51199cd997bcb8bf4cb42145360be71eb718db43 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 18:21:53 -0400 Subject: [PATCH 1/8] Update Trivy scan --- .github/workflows/security.yaml | 50 +++++++++++++++++++++++++-------- 1 file changed, 39 insertions(+), 11 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index dc84a07..8108fc2 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -1,31 +1,59 @@ -name: Security +name: Security Scan + on: push: - branches: - - main + branches: [main] pull_request: + branches: [main] + workflow_dispatch: + jobs: - build: - name: Build - runs-on: ubuntu-20.04 + trivy-scan: + name: Trivy + runs-on: ubuntu-latest permissions: contents: read security-events: write + actions: read + steps: - name: Checkout code uses: actions/checkout@v4 - - name: Trivy scan + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + if [ -f pyproject.toml ]; then + pip install -e ".[dev]" + fi + + - name: Run Trivy vulnerability scan uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'fs' + scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' - severity: 'MEDIUM,HIGH,CRITICAL' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' exit-code: '0' - ignore-unfixed: false + - name: Check for critical and high vulnerabilities + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH' + exit-code: '1' + continue-on-error: true - - name: Update Security tab + - name: Upload Trivy scan results to Security tab uses: github/codeql-action/upload-sarif@v3 + if: always() with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + sarif_file: 'trivy-results.sarif' + category: 'trivy-security-scan' From 3d07f5f08d167b289dd1def8771dfcb5cdf0fac0 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 18:39:11 -0400 Subject: [PATCH 2/8] Add bandit scan --- .github/workflows/security.yaml | 54 +++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 8108fc2..4971c91 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -57,3 +57,57 @@ jobs: with: sarif_file: 'trivy-results.sarif' category: 'trivy-security-scan' + + bandit-scan: + name: Bandit + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + checks: write + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + cache: "pip" + + - name: Create virtual environment + run: | + python -m pip install --upgrade pip + python -m venv .venv + + - name: Install dependencies + run: | + source .venv/bin/activate + pip install -e ".[dev]" + + - name: Install Bandit + run: | + source .venv/bin/activate + pip install bandit[toml] + + - name: Run Bandit Security Scan + uses: PyCQA/bandit-action@v1 + with: + targets: "." + + - name: Upload SARIF results to Security tab + if: github.ref == 'refs/heads/main' + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: bandit-security-scan + continue-on-error: true + + - name: Upload SARIF as artifact + uses: actions/upload-artifact@v4 + with: + name: bandit-sarif-results + path: results.sarif + retention-days: 30 + continue-on-error: true \ No newline at end of file From 9fad0a0c487fb7a91a5549cc999da0facbbf5997 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 19:04:16 -0400 Subject: [PATCH 3/8] Exclude tests in bandit scan --- pyproject.toml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index 259d94a..995852e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -48,6 +48,7 @@ dev = [ "twine==3.4.2", "wheel~=0.38.4", "xgboost~=3.0.2", + "bandit[toml]~=1.7.7" ] extras = ["aix360[default,tsice,tslime,tssaliency]==0.3.0"] @@ -86,3 +87,6 @@ markers = [ where = ["src"] [tool.setuptools_scm] + +[tool.bandit] +exclude = ["tests"] \ No newline at end of file From 8f46df626d042fe198ebd1097d18e0a688b65703 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 19:04:28 -0400 Subject: [PATCH 4/8] Exclude tests in bandit scan --- .github/workflows/security.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 4971c91..5a688a4 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -95,6 +95,7 @@ jobs: uses: PyCQA/bandit-action@v1 with: targets: "." + configFile: "pyproject.toml" - name: Upload SARIF results to Security tab if: github.ref == 'refs/heads/main' From 7e86cf27968cada99f5d0b5346029de0e6e5133f Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 19:05:32 -0400 Subject: [PATCH 5/8] Remove redundant Bandit install --- .github/workflows/security.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 5a688a4..103051a 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -86,11 +86,6 @@ jobs: source .venv/bin/activate pip install -e ".[dev]" - - name: Install Bandit - run: | - source .venv/bin/activate - pip install bandit[toml] - - name: Run Bandit Security Scan uses: PyCQA/bandit-action@v1 with: From 6eda1b49e2ade2e154e967e00d1fc19969bb11ed Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 19:26:26 -0400 Subject: [PATCH 6/8] Guarantee serif format --- .github/workflows/security.yaml | 7 +++---- pyproject.toml | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 103051a..e8a95ae 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -87,10 +87,9 @@ jobs: pip install -e ".[dev]" - name: Run Bandit Security Scan - uses: PyCQA/bandit-action@v1 - with: - targets: "." - configFile: "pyproject.toml" + run: | + source .venv/bin/activate + bandit -r . --configfile pyproject.toml --format sarif -o results.sarif - name: Upload SARIF results to Security tab if: github.ref == 'refs/heads/main' diff --git a/pyproject.toml b/pyproject.toml index 995852e..85a2bea 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -48,7 +48,7 @@ dev = [ "twine==3.4.2", "wheel~=0.38.4", "xgboost~=3.0.2", - "bandit[toml]~=1.7.7" + "bandit[toml,sarif]~=1.7.7" ] extras = ["aix360[default,tsice,tslime,tssaliency]==0.3.0"] From 5236b3f304f2405ea080681acec209ff8cfa433a Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 19:54:28 -0400 Subject: [PATCH 7/8] Update Bandit scan --- .github/workflows/security.yaml | 10 ++++++++-- pyproject.toml | 6 +----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index e8a95ae..5299f03 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -86,10 +86,16 @@ jobs: source .venv/bin/activate pip install -e ".[dev]" - - name: Run Bandit Security Scan + - name: Install Bandit run: | source .venv/bin/activate - bandit -r . --configfile pyproject.toml --format sarif -o results.sarif + pip install bandit[toml, sarif] + + - name: Run Bandit Security Scan + uses: PyCQA/bandit-action@v1 + with: + targets: "." + exclude: "tests" - name: Upload SARIF results to Security tab if: github.ref == 'refs/heads/main' diff --git a/pyproject.toml b/pyproject.toml index 85a2bea..3981394 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -48,7 +48,6 @@ dev = [ "twine==3.4.2", "wheel~=0.38.4", "xgboost~=3.0.2", - "bandit[toml,sarif]~=1.7.7" ] extras = ["aix360[default,tsice,tslime,tssaliency]==0.3.0"] @@ -86,7 +85,4 @@ markers = [ [tool.setuptools.packages.find] where = ["src"] -[tool.setuptools_scm] - -[tool.bandit] -exclude = ["tests"] \ No newline at end of file +[tool.setuptools_scm] \ No newline at end of file From 07eb92bde98dc8a325e2f90e6468942abf2077a0 Mon Sep 17 00:00:00 2001 From: amberjblue Date: Wed, 6 Aug 2025 19:59:44 -0400 Subject: [PATCH 8/8] Update Bandit scan --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 5299f03..9da83bf 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -89,7 +89,7 @@ jobs: - name: Install Bandit run: | source .venv/bin/activate - pip install bandit[toml, sarif] + pip install bandit[sarif] - name: Run Bandit Security Scan uses: PyCQA/bandit-action@v1