From fb67e98d1226133958d080a5fc591b9a460c3005 Mon Sep 17 00:00:00 2001 From: Thomas Vuillaume Date: Wed, 7 Jan 2026 11:19:48 +0100 Subject: [PATCH 1/6] add action security with bandit and gitleaks --- .github/workflows/security.yml | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..2dfbee2 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,39 @@ +name: Security Scans + +on: + push: + branches: [ main, security ] + pull_request: + branches: [ main ] + workflow_dispatch: + +jobs: + bandit: + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Bandit security scan + uses: PyCQA/bandit-action@v1 + with: + configfile: pyproject.toml + + gitleaks: + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Gitleaks secret scan + uses: gitleaks/gitleaks-action@v2 + with: + args: detect --source . --no-git --redact From 065ca1c7ae051ae2e7c2f6d716251a6e6ee964e5 Mon Sep 17 00:00:00 2001 From: Thomas Vuillaume Date: Wed, 7 Jan 2026 11:27:16 +0100 Subject: [PATCH 2/6] test with python 3.13 --- .github/workflows/security.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 2dfbee2..27b7568 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -16,11 +16,12 @@ jobs: contents: read steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Bandit security scan uses: PyCQA/bandit-action@v1 with: + python-version: '3.13' configfile: pyproject.toml gitleaks: From c63523f29cd55542de1bb6f7e33f4d04df0b5056 Mon Sep 17 00:00:00 2001 From: Thomas Vuillaume Date: Wed, 7 Jan 2026 11:32:48 +0100 Subject: [PATCH 3/6] add gitleaks license --- .github/workflows/security.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 27b7568..957649c 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -32,9 +32,14 @@ jobs: contents: read steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Gitleaks secret scan uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} with: args: detect --source . --no-git --redact From d1b6c0c2351f28a51d6b3dd202ae933f032d9690 Mon Sep 17 00:00:00 2001 From: Thomas Vuillaume Date: Wed, 7 Jan 2026 11:35:36 +0100 Subject: [PATCH 4/6] remove gitleaks args --- .github/workflows/security.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 957649c..3b54cee 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -41,5 +41,3 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - with: - args: detect --source . --no-git --redact From 57781ed89633bba4c9524ed78e563d03faf08e04 Mon Sep 17 00:00:00 2001 From: Thomas Vuillaume Date: Thu, 15 Jan 2026 12:15:36 +0100 Subject: [PATCH 5/6] fix bandit issue in CI install bandit with pip instead of github action to support toml format use config in pyproject.toml --- .github/workflows/security.yml | 20 ++++++++++++++++---- pyproject.toml | 5 +++++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3b54cee..b90831f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -18,11 +18,23 @@ jobs: - name: Checkout code uses: actions/checkout@v6 - - name: Bandit security scan - uses: PyCQA/bandit-action@v1 + - name: Set up Python + uses: actions/setup-python@v5 with: python-version: '3.13' - configfile: pyproject.toml + + - name: Install Bandit with TOML support + run: pip install bandit[toml] + + - name: Run Bandit security scan + run: bandit -r . -c pyproject.toml -f json -o bandit-results.json || true + + - name: Upload Bandit results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: bandit-results.json + category: bandit gitleaks: runs-on: ubuntu-latest @@ -40,4 +52,4 @@ jobs: uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} diff --git a/pyproject.toml b/pyproject.toml index e3ed32b..749acc3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -30,3 +30,8 @@ classifiers = [ [project.scripts] pkoffee = "pkoffee.cli:main" + +[tool.bandit] +exclude_dirs = ["tests", "doc", "analysis", ".pixi"] +tests = ["B301","B302","B303","B304","B403","B506","B602","B603","B604","B605","B105"] +skips = ["B101","B104","B110"] \ No newline at end of file From 74ab367a7a132d9ed1b2f7d81d8bd61925eb51fd Mon Sep 17 00:00:00 2001 From: Thomas Vuillaume Date: Thu, 15 Jan 2026 12:23:52 +0100 Subject: [PATCH 6/6] support sarif format for bandit --- .github/workflows/security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b90831f..31b8148 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -24,16 +24,16 @@ jobs: python-version: '3.13' - name: Install Bandit with TOML support - run: pip install bandit[toml] + run: pip install "bandit[toml,sarif]" - name: Run Bandit security scan - run: bandit -r . -c pyproject.toml -f json -o bandit-results.json || true + run: bandit -r . -c pyproject.toml -f sarif -o bandit-results.sarif || true - name: Upload Bandit results uses: github/codeql-action/upload-sarif@v3 if: always() with: - sarif_file: bandit-results.json + sarif_file: bandit-results.sarif category: bandit gitleaks: