-
Notifications
You must be signed in to change notification settings - Fork 19
111 lines (90 loc) · 4.22 KB
/
Copy pathsecurity.yml
File metadata and controls
111 lines (90 loc) · 4.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run weekly on Mondays at 08:00 UTC
- cron: "0 8 * * 1"
permissions:
contents: read
jobs:
bandit:
name: SAST (Bandit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Run Bandit
run: uvx --from "bandit[toml]" bandit -r src/dns_aid -c pyproject.toml -f json -o bandit-report.json
- name: Display results
if: always()
run: uvx --from "bandit[toml]" bandit -r src/dns_aid -c pyproject.toml
- name: Upload Bandit report
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bandit-report
path: bandit-report.json
sbom:
name: SBOM Generation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Install dependencies
run: uv sync --frozen --extra dev --extra cli --extra mcp --extra route53
- name: Generate SBOM
run: uv run --with cyclonedx-bom cyclonedx-py environment -o sbom.json --output-format json
- name: Upload SBOM
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: sbom
path: sbom.json
dependency-audit:
name: Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Install dependencies
run: uv sync --frozen --extra dev --extra cli --extra mcp --extra route53
- name: Run pip-audit
# --ignore-vuln: transitive dep CVEs — no user input, all static flags.
# Each CVE is documented. Re-evaluate when fix versions are released.
run: |
uv run --with pip-audit pip-audit \
--ignore-vuln CVE-2026-4539 \
--ignore-vuln CVE-2025-8869 \
--ignore-vuln CVE-2026-1703 \
--ignore-vuln CVE-2026-34073 \
--ignore-vuln CVE-2026-25645 \
--ignore-vuln CVE-2026-3219 \
--ignore-vuln CVE-2025-45768
# CVE-2026-4539 pygments 2.19.2 — ReDoS in AdlLexer, local-only, no fix released
# CVE-2025-8869 pip 25.2 — tar symlink traversal, mitigated by Python >=3.12 PEP 706
# CVE-2026-1703 pip 25.2 — wheel path traversal, limited to install dir prefixes
# CVE-2026-34073 cryptography 46.0.5 — name constraint bypass, uncommon topology, fix: 46.0.6
# CVE-2026-25645 requests 2.32.5 — predictable temp path, only extract_zipped_paths(), fix: 2.33.0
# CVE-2026-3219 pip 26.0.1 — runner-image pip; affects the package manager only,
# not the dns-aid runtime; no user-supplied input flows
# through pip in CI; awaiting upstream pip fix
# CVE-2025-45768 pyjwt 2.12.1 — DISPUTED by maintainer (NVD: "Analyzed", note
# that "key length is chosen by the application").
# Snyk does not list this CVE; pyjwt's own GHSA
# advisories do not list it. Third-party-filed
# "weak encryption" claim; actually a usage concern.
# DNS-AID does not generate JWTs in the SDK path.
# See SECURITY.md + tracking issue #141.