intermediate commit
This commit is contained in:
@@ -40,6 +40,11 @@ The wrapper tags the toolbox image by a fingerprint of the Dockerfile and
|
||||
the existing local image instead of reinstalling all tools. The stable alias is
|
||||
`govoplan/security-audit:local` unless `SECURITY_AUDIT_IMAGE` is set.
|
||||
|
||||
Semgrep is installed separately in the toolbox image because current Semgrep
|
||||
packages pin Click to an affected `8.1.x` line. The image upgrades Click after
|
||||
Semgrep installation and fails during build if Semgrep no longer starts with the
|
||||
patched Click version.
|
||||
|
||||
Force a cached rebuild:
|
||||
|
||||
```bash
|
||||
@@ -65,6 +70,13 @@ tools/checks/security-audit/run.sh --mode quick --scope current --update --build
|
||||
- `ci`: quick plus Semgrep public registry rulesets, Trivy, pip-audit, npm audit.
|
||||
- `full`: ci plus OSV-Scanner, jscpd, Radon, and Xenon.
|
||||
|
||||
Bandit and Ruff security reports are split by source kind. Production code under
|
||||
`src/` is written to `bandit.json` and `ruff-security.json` and controls strict
|
||||
mode. Test code under `tests/` is still scanned for visibility, but its findings
|
||||
are written separately to `bandit-tests.json` and `ruff-security-tests.json` so
|
||||
fixture passwords, assertions, and temporary paths do not hide the production
|
||||
baseline.
|
||||
|
||||
## Gating
|
||||
|
||||
The initial Gitea workflow runs in report-only mode:
|
||||
@@ -115,6 +127,13 @@ Keep active implementation status in issues instead of committing generated
|
||||
audit reports. `audit-reports/` is ignored; quote the report directory and the
|
||||
important scanner counts in the tracker issue.
|
||||
|
||||
The jscpd step is intentionally scoped to application and test source. It
|
||||
excludes documentation snippets, package manifests, generated translations,
|
||||
public SVG assets, workflow YAML, and declarative backend schema JSON because
|
||||
those reports produce metadata or asset repetition rather than actionable source
|
||||
duplication. Keep exclusions narrow and create child issues for source-code
|
||||
clusters that cross module ownership or make behavior harder to change safely.
|
||||
|
||||
## Image Freshness
|
||||
|
||||
The regular `Security Audit` workflow reuses the fingerprinted toolbox image
|
||||
@@ -133,6 +152,8 @@ tools first:
|
||||
cd /mnt/DATA/git/govoplan
|
||||
python -m venv .venv
|
||||
./.venv/bin/python -m pip install -r requirements-audit.txt
|
||||
./.venv/bin/python -m pip install 'semgrep>=1.140,<2'
|
||||
./.venv/bin/python -m pip install --upgrade --no-deps 'click>=8.3.3'
|
||||
```
|
||||
|
||||
Then install the non-Python tools (`gitleaks`, `trivy`, `osv-scanner`, `jscpd`)
|
||||
|
||||
Reference in New Issue
Block a user