Merge branch 'main' into DB

Author: RobGeada

.github/workflows/security-scan.yaml

@@ -0,0 +1,65 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  bandit-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+      checks: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Create virtual environment
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install uv
+          python -m venv .venv
+
+      - name: Install dependencies
+        run: |
+          source .venv/bin/activate
+          if [ -f pyproject.toml ]; then
+            uv pip install -e ".[dev]"
+          fi
+
+      - name: Install Bandit
+        run: |
+          source .venv/bin/activate
+          python -m pip install bandit[toml]
+
+      - name: Run Bandit Security Scan
+        uses: PyCQA/bandit-action@v1
+        with:
+          targets: "src/"
+
+      - name: Upload SARIF results to GitHub Security tab
+        if: github.ref == 'refs/heads/main'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: bandit-security-scan
+        continue-on-error: true
+
+      - name: Upload SARIF as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: bandit-sarif-results
+          path: results.sarif
+          retention-days: 30
+        continue-on-error: true

pyproject.toml

@@ -8,28 +8,29 @@ readme = "README.md"
 dependencies = [
     "fastapi>=0.115.9,<0.116",
     "pandas>=2.2.3,<3",
-    "prometheus-client>=0.21.1,<0.22",
+    "prometheus-client>=0.21.1,<0.23",
     "pydantic>=2.4.2,<3",
     "uvicorn>=0.34.0,<0.35",
     "protobuf>=4.24.4,<7",
     "requests>=2.31.0,<3",
-    "cryptography>=44.0.2,<45",
+    "cryptography>=44.0.2,<46",
     "h5py>=3.13.0,<4",
 ]
 
 [project.optional-dependencies]
 dev = [
     "pytest>=7.4.2,<9",
-    "isort>=5.12.0,<6",
-    "flake8>=6.1.0,<7",
+    "isort>=5.12.0,<7",
+    "flake8>=6.1.0,<8",
     "mypy>=1.5.1,<2",
-    "pytest-cov>=4.1.0,<5",
-    "httpx>=0.25.0,<0.26",
+    "pytest-cov>=4.1.0,<7",
+    "httpx>=0.25.0,<0.29",
 ]
 eval = ["lm-eval[api]==0.4.4", "fastapi-utils>=0.8.0", "typing-inspect==0.9.0"]
-protobuf = ["numpy>=1.24.0,<2", "grpcio>=1.62.1,<2", "grpcio-tools>=1.62.1,<2"]
+protobuf = ["numpy>=1.24.0,<3", "grpcio>=1.62.1,<2", "grpcio-tools>=1.62.1,<2"]
 mariadb = ["mariadb>=1.1.12", "javaobj-py3==0.4.4"]
 
+
 [tool.hatch.build.targets.sdist]
 include = ["src"]