Skip to content
Security

chore: rename repo URLs to the dns-aid org and release 0.24.2 #458

Sign in to view logs

chore: rename repo URLs to the dns-aid org and release 0.24.2

chore: rename repo URLs to the dns-aid org and release 0.24.2 #458

Workflow file for this run

.github/workflows/security.yml at 1685ff1
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run weekly on Mondays at 08:00 UTC
- cron: "0 8 * * 1"
permissions:
contents: read
jobs:
bandit:
name: SAST (Bandit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Run Bandit
run: uvx --from "bandit[toml]" bandit -r src/dns_aid -c pyproject.toml -f json -o bandit-report.json
- name: Display results
if: always()
run: uvx --from "bandit[toml]" bandit -r src/dns_aid -c pyproject.toml
- name: Upload Bandit report
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bandit-report
path: bandit-report.json
sbom:
name: SBOM Generation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Install dependencies
run: uv sync --frozen --extra dev --extra cli --extra mcp --extra route53
- name: Generate SBOM
run: uv run --with cyclonedx-bom cyclonedx-py environment -o sbom.json --output-format json
- name: Upload SBOM
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: sbom
path: sbom.json
dependency-audit:
name: Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Install dependencies
run: uv sync --frozen --extra dev --extra cli --extra mcp --extra route53
- name: Run pip-audit
# --ignore-vuln: transitive dep CVEs — no user input, all static flags.
# Each CVE is documented. Re-evaluate when fix versions are released.
run: |
uv run --with pip-audit pip-audit \
--ignore-vuln CVE-2026-4539 \
--ignore-vuln CVE-2025-8869 \
--ignore-vuln CVE-2026-1703 \
--ignore-vuln CVE-2026-34073 \
--ignore-vuln CVE-2026-25645 \
--ignore-vuln CVE-2026-3219 \
--ignore-vuln CVE-2025-45768
# CVE-2026-4539 pygments 2.19.2 — ReDoS in AdlLexer, local-only, no fix released
# CVE-2025-8869 pip 25.2 — tar symlink traversal, mitigated by Python >=3.12 PEP 706
# CVE-2026-1703 pip 25.2 — wheel path traversal, limited to install dir prefixes
# CVE-2026-34073 cryptography 46.0.5 — name constraint bypass, uncommon topology, fix: 46.0.6
# CVE-2026-25645 requests 2.32.5 — predictable temp path, only extract_zipped_paths(), fix: 2.33.0
# CVE-2026-3219 pip 26.0.1 — runner-image pip; affects the package manager only,
# not the dns-aid runtime; no user-supplied input flows
# through pip in CI; awaiting upstream pip fix
# CVE-2025-45768 pyjwt 2.12.1 — DISPUTED by maintainer (NVD: "Analyzed", note
# that "key length is chosen by the application").
# Snyk does not list this CVE; pyjwt's own GHSA
# advisories do not list it. Third-party-filed
# "weak encryption" claim; actually a usage concern.
# DNS-AID does not generate JWTs in the SDK path.
# See SECURITY.md + tracking issue #141.