[Security audit] Split production and test scanner profiles to reduce false positives #5

Closed
opened 2026-07-13 20:09:50 +02:00 by zemion · 1 comment
Owner

The 2026-07-13 full security audit is useful, but Bandit/Ruff output is dominated by test-only findings.

Source report: /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949

Observed signal:

  • Bandit: 228 findings, 171 in tests.
  • Ruff security: 135 findings, 88 in tests.
  • Common test noise: assert, fixture passwords/tokens, /tmp paths.

Acceptance criteria:

  • Keep production security checks strict.
  • Run test paths with a separate profile or explicitly documented test-only ignores.
  • Do not globally suppress hardcoded-secret or assert checks for production code.
  • Preserve SARIF/JSON output so future audits remain comparable.
<!-- codex-security-audit-fingerprint:security-audit-20260713-scanner-profile-noise --> The 2026-07-13 full security audit is useful, but Bandit/Ruff output is dominated by test-only findings. Source report: `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949` Observed signal: - Bandit: 228 findings, 171 in tests. - Ruff security: 135 findings, 88 in tests. - Common test noise: `assert`, fixture passwords/tokens, `/tmp` paths. Acceptance criteria: - Keep production security checks strict. - Run test paths with a separate profile or explicitly documented test-only ignores. - Do not globally suppress hardcoded-secret or assert checks for production code. - Preserve SARIF/JSON output so future audits remain comparable.
Author
Owner

Codex State: done

Summary

  • Split Bandit/Ruff security reports into production-gating src reports and separate non-gating test reports.
  • Kept production security checks strict while preserving test findings for visibility.

Changed Files

  • tools/checks/check-security-audit.sh
  • docs/SECURITY_AUDIT.md

Verification

  • bash -n tools/checks/check-security-audit.sh
  • git diff --check -- tools/checks/check-security-audit.sh docs/SECURITY_AUDIT.md tools/checks/security-audit/Dockerfile requirements-audit.txt
  • /mnt/DATA/git/govoplan/.venv/bin/python -m pip install --dry-run --ignore-installed -r requirements-audit.txt

Next / Blocked

  • Containerized audit run still needs to be executed from the host because docker is not available in this Codex environment.
## Codex State: done ### Summary - Split Bandit/Ruff security reports into production-gating src reports and separate non-gating test reports. - Kept production security checks strict while preserving test findings for visibility. ### Changed Files - `tools/checks/check-security-audit.sh` - `docs/SECURITY_AUDIT.md` ### Verification - `bash -n tools/checks/check-security-audit.sh` - `git diff --check -- tools/checks/check-security-audit.sh docs/SECURITY_AUDIT.md tools/checks/security-audit/Dockerfile requirements-audit.txt` - `/mnt/DATA/git/govoplan/.venv/bin/python -m pip install --dry-run --ignore-installed -r requirements-audit.txt` ### Next / Blocked - Containerized audit run still needs to be executed from the host because docker is not available in this Codex environment.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan#5
No description provided.