From c589587a6222edd6e1b3d83a672b5bf8433916ed Mon Sep 17 00:00:00 2001 From: Subhransu De Date: Sat, 11 Jul 2026 10:48:26 +0530 Subject: [PATCH 1/7] Add supply-chain security gates --- .github/workflows/workflow.yml | 81 +++++++++++++++++++++++++++++++++- docs/ci-security.md | 14 ++++++ 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 docs/ci-security.md diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 69498b3..d5fe1a7 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -41,8 +41,74 @@ env: IMAGE_NAME: ${{ github.repository }} jobs: + gitleaks: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + fetch-depth: 0 + + - name: Scan repository for secrets + uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2 + + hadolint: + runs-on: ubuntu-latest + needs: [gitleaks] + strategy: + matrix: + dockerfile: [Dockerfile, Dockerfile.migration] + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - name: Lint ${{ matrix.dockerfile }} + uses: hadolint/hadolint-action@3fc49fb50d59c6ab7917a2e4195dba633e515b29 # v3.2.0 + with: + dockerfile: ${{ matrix.dockerfile }} + failure-threshold: warning + + actionlint: + runs-on: ubuntu-latest + needs: [hadolint] + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - name: Lint GitHub Actions workflows + uses: raven-actions/actionlint@3d39aea434753780c3b3d4a1a31c854b4dbf49d7 # v2 + + dependency-audit: + runs-on: ubuntu-latest + needs: [hadolint] + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 + with: + version: "0.11.28" + + - name: Audit locked Python dependencies + run: uv audit --frozen + + dependency-review: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + needs: [hadolint] + permissions: + contents: read + + steps: + - name: Review dependency changes + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 + ruff: runs-on: ubuntu-latest + needs: [hadolint] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -57,6 +123,7 @@ jobs: ty: runs-on: ubuntu-latest + needs: [hadolint] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -71,6 +138,7 @@ jobs: import-linter: runs-on: ubuntu-latest + needs: [hadolint] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -85,6 +153,7 @@ jobs: test: runs-on: ubuntu-latest + needs: [hadolint] strategy: fail-fast: false matrix: @@ -112,7 +181,7 @@ jobs: build: runs-on: ubuntu-latest - needs: [ruff, ty, import-linter, test] + needs: [actionlint, dependency-audit, ruff, ty, import-linter, test] permissions: contents: read strategy: @@ -142,6 +211,16 @@ jobs: tags: ${{ matrix.tag }} cache-from: type=gha cache-to: type=gha,mode=max + load: true + + - name: Scan ${{ matrix.image-name }} image + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + image-ref: ${{ matrix.tag }} + format: table + exit-code: "1" + ignore-unfixed: true + severity: HIGH,CRITICAL e2e: name: Scenario tests diff --git a/docs/ci-security.md b/docs/ci-security.md new file mode 100644 index 0000000..219742a --- /dev/null +++ b/docs/ci-security.md @@ -0,0 +1,14 @@ +# CI security checks + +The following checks are required and fail CI when they find a violation: + +- Gitleaks scans repository history for committed secrets. +- Hadolint rejects warnings or errors in both Dockerfiles. +- actionlint validates GitHub Actions workflow syntax and expressions. +- `uv audit --frozen` checks the locked Python dependency graph for known vulnerabilities without changing the lockfile. +- Dependency Review blocks pull requests that introduce vulnerable dependencies. +- Trivy blocks application and migration images containing fixed high- or critical-severity vulnerabilities. + +Dependabot update proposals and the SonarCloud and Snyk badges are advisory maintenance signals, not merge-blocking CI jobs. + +Suppress a required finding only when it is a confirmed false positive or an accepted risk. Keep the exception as narrow as possible and document its reason, affected identifier, owner, and review date next to the tool-specific configuration. From 323596eb9ef7296cbbcdc92c6dbbab6a65b35b80 Mon Sep 17 00:00:00 2001 From: Subhransu De Date: Sat, 11 Jul 2026 10:52:07 +0530 Subject: [PATCH 2/7] Pass token to Gitleaks --- .github/workflows/workflow.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index d5fe1a7..f441bb1 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -54,6 +54,8 @@ jobs: - name: Scan repository for secrets uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} hadolint: runs-on: ubuntu-latest From 7ef9786936e633aa3c25da749e27a280bb058011 Mon Sep 17 00:00:00 2001 From: Subhransu De Date: Sat, 11 Jul 2026 11:02:17 +0530 Subject: [PATCH 3/7] Verify lockfile before dependency audit --- .github/workflows/workflow.yml | 2 +- docs/ci-security.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index f441bb1..688da56 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -95,7 +95,7 @@ jobs: version: "0.11.28" - name: Audit locked Python dependencies - run: uv audit --frozen + run: uv audit --locked dependency-review: if: github.event_name == 'pull_request' diff --git a/docs/ci-security.md b/docs/ci-security.md index 219742a..0785751 100644 --- a/docs/ci-security.md +++ b/docs/ci-security.md @@ -5,7 +5,7 @@ The following checks are required and fail CI when they find a violation: - Gitleaks scans repository history for committed secrets. - Hadolint rejects warnings or errors in both Dockerfiles. - actionlint validates GitHub Actions workflow syntax and expressions. -- `uv audit --frozen` checks the locked Python dependency graph for known vulnerabilities without changing the lockfile. +- `uv audit --locked` verifies the lockfile is current and checks the locked Python dependency graph for known vulnerabilities. - Dependency Review blocks pull requests that introduce vulnerable dependencies. - Trivy blocks application and migration images containing fixed high- or critical-severity vulnerabilities. From 7d0c9a49213d8bd1a8cf1175953e68a7c08435b2 Mon Sep 17 00:00:00 2001 From: Subhransu De Date: Sat, 11 Jul 2026 11:12:38 +0530 Subject: [PATCH 4/7] Remove CI security documentation --- docs/ci-security.md | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 docs/ci-security.md diff --git a/docs/ci-security.md b/docs/ci-security.md deleted file mode 100644 index 0785751..0000000 --- a/docs/ci-security.md +++ /dev/null @@ -1,14 +0,0 @@ -# CI security checks - -The following checks are required and fail CI when they find a violation: - -- Gitleaks scans repository history for committed secrets. -- Hadolint rejects warnings or errors in both Dockerfiles. -- actionlint validates GitHub Actions workflow syntax and expressions. -- `uv audit --locked` verifies the lockfile is current and checks the locked Python dependency graph for known vulnerabilities. -- Dependency Review blocks pull requests that introduce vulnerable dependencies. -- Trivy blocks application and migration images containing fixed high- or critical-severity vulnerabilities. - -Dependabot update proposals and the SonarCloud and Snyk badges are advisory maintenance signals, not merge-blocking CI jobs. - -Suppress a required finding only when it is a confirmed false positive or an accepted risk. Keep the exception as narrow as possible and document its reason, affected identifier, owner, and review date next to the tool-specific configuration. From d8666b5e32164ccf09a0c3fa010e1a7628b40228 Mon Sep 17 00:00:00 2001 From: Subhransu De Date: Sat, 11 Jul 2026 11:20:16 +0530 Subject: [PATCH 5/7] Audit scenario test dependencies --- .github/workflows/workflow.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 688da56..ddff443 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -95,7 +95,9 @@ jobs: version: "0.11.28" - name: Audit locked Python dependencies - run: uv audit --locked + run: | + uv audit --locked + uv audit --locked --package scenario-tests dependency-review: if: github.event_name == 'pull_request' From 1ede95d74c804696e91188e6a021e33ed07731c3 Mon Sep 17 00:00:00 2001 From: Subhransu De Date: Sat, 11 Jul 2026 11:21:00 +0530 Subject: [PATCH 6/7] Run dependency audits in parallel --- .github/workflows/workflow.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index ddff443..d33e324 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -86,6 +86,13 @@ jobs: dependency-audit: runs-on: ubuntu-latest needs: [hadolint] + strategy: + matrix: + include: + - project: application + audit-args: "" + - project: scenario-tests + audit-args: --package scenario-tests steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -94,10 +101,8 @@ jobs: with: version: "0.11.28" - - name: Audit locked Python dependencies - run: | - uv audit --locked - uv audit --locked --package scenario-tests + - name: Audit ${{ matrix.project }} dependencies + run: uv audit --locked ${{ matrix.audit-args }} dependency-review: if: github.event_name == 'pull_request' From 42c091fffec7e004fb087a82d27f65aa4ee39c92 Mon Sep 17 00:00:00 2001 From: Subhransu De Date: Sat, 11 Jul 2026 11:45:51 +0530 Subject: [PATCH 7/7] Run workspace audits from project directories --- .github/workflows/workflow.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index d33e324..a434d51 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -87,12 +87,13 @@ jobs: runs-on: ubuntu-latest needs: [hadolint] strategy: + fail-fast: false matrix: include: - project: application - audit-args: "" + working-directory: . - project: scenario-tests - audit-args: --package scenario-tests + working-directory: scenario-tests steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -102,7 +103,8 @@ jobs: version: "0.11.28" - name: Audit ${{ matrix.project }} dependencies - run: uv audit --locked ${{ matrix.audit-args }} + working-directory: ${{ matrix.working-directory }} + run: uv audit --locked dependency-review: if: github.event_name == 'pull_request'