Skip to content

Add supply-chain security gates#83

Merged
Subhransu-De merged 7 commits into
mainfrom
supply-chain-security-gates
Jul 11, 2026
Merged

Add supply-chain security gates#83
Subhransu-De merged 7 commits into
mainfrom
supply-chain-security-gates

Conversation

@Subhransu-De

Copy link
Copy Markdown
Owner

Closes #23.

Adds blocking supply-chain checks for secrets, Dockerfiles, workflows, Python dependencies, pull-request dependency changes, and built container images.

Validated with actionlint, Hadolint, and git diff --check.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c589587a62

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

fetch-depth: 0

- name: Scan repository for secrets
uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass GITHUB_TOKEN into gitleaks on PRs

On pull_request runs, gitleaks-action v2's ScanPullRequest path exits when process.env.GITHUB_TOKEN is absent; its upstream usage example explicitly passes env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}. This job only grants token permissions, which does not create that environment variable, so every PR run will fail in the first gate before scanning or reaching later jobs. Add the env mapping (with the existing read permissions) or switch to a scan invocation that does not need the PR API.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the required token mapping. Gitleaks now passes on pull requests.

@Subhransu-De

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 323596eb9e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/workflow.yml Outdated
version: "0.11.28"

- name: Audit locked Python dependencies
run: uv audit --frozen

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject stale lockfiles before auditing

For PRs that edit pyproject.toml but forget to update uv.lock, uv audit --frozen audits the existing lockfile as the source of truth without checking it is current; the uv CLI docs describe --frozen this way and reserve --locked for asserting the lockfile remains up to date. That lets newly declared vulnerable dependencies avoid this required audit until the lock is refreshed, so run a lock check or use uv audit --locked before treating the result as merge-blocking.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the audit to verify the lockfile is current before scanning.

@Subhransu-De

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Breezy!

Reviewed commit: 7ef9786936

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7d0c9a4921

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

IMAGE_NAME: ${{ github.repository }}

jobs:
gitleaks:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Run the secret scan on every file change

Because this new Gitleaks job is inside the existing push/pull_request paths allowlist, it only runs when the changed files match that list. A PR that adds a credential to an unlisted file such as README.md, .env, or another documentation/config file will not start this job at all, so the secret can merge before any scan sees it. Move the secret scan to an unfiltered workflow or remove/expand the path filters for this job.

Useful? React with 👍 / 👎.

version: "0.11.28"

- name: Audit locked Python dependencies
run: uv audit --locked

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Audit the scenario-test workspace dependencies

This root-level uv audit --locked audits the current project's dependencies, but the repo also defines scenario-tests as a uv workspace member and the e2e job installs it with uv sync --package scenario-tests. Dependencies used only by that member, such as behave or future scenario-only packages, can therefore be locked and executed in CI without being covered by this audit gate; add an audit for the scenario-tests project/member as well.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a separate audit for the scenario-test workspace dependencies.

@Subhransu-De

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1ede95d74c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/workflow.yml Outdated
- project: application
audit-args: ""
- project: scenario-tests
audit-args: --package scenario-tests

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Replace unsupported uv audit package flag

When this matrix row runs, the command expands to uv audit --locked --package scenario-tests. I checked the official uv audit CLI reference, and it lists selectors like --project/--directory but no --package option for uv audit, so this scenario-tests leg exits with a usage error before any audit runs. Because build now needs dependency-audit, this blocks every matching CI run.

Useful? React with 👍 / 👎.

@sonarqubecloud

Copy link
Copy Markdown

@Subhransu-De Subhransu-De merged commit 9e5b527 into main Jul 11, 2026
31 checks passed
@Subhransu-De Subhransu-De deleted the supply-chain-security-gates branch July 11, 2026 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add supply-chain security gates

1 participant