Skip to content

Add CI security scan pipeline (code, dependency, secret)#13

Merged
chaksaray merged 3 commits into
developfrom
ci-security-scans
Jul 11, 2026
Merged

Add CI security scan pipeline (code, dependency, secret)#13
chaksaray merged 3 commits into
developfrom
ci-security-scans

Conversation

@chaksaray

Copy link
Copy Markdown
Member

Summary

Every merge previously had zero automated security scanning -- no CI ran on PRs
at all (the only workflows were release-triggered publish and a push-to-main/
schedule-only Scorecard run). This adds a pipeline that runs on every PR and
push to develop/main:

  • code-scan: CodeQL Python analysis, results land in the repo's Code
    Scanning alerts tab.
  • dependency-scan: actions/dependency-review-action (fails PRs introducing
    high-severity vulnerable or license-incompatible dependencies) plus
    pip-audit against the actual installed dependency tree. PR-only, since
    dependency-review compares base vs head. Upgrades pip/setuptools first --
    verified locally that a stock venv's bundled setuptools 59.6.0 carries three
    CVEs of its own; without the upgrade this would fail every run on bootstrap
    tooling, not this project's real dependencies.
  • secret-scan: Gitleaks, full history fetch, on both push and PR.

Also enabled at the repo level (not part of this diff, a settings change):
secret scanning, secret scanning push protection, and Dependabot security
updates. All three were disabled, including secret scanning, which is
normally free and on by default for public repos.

Not done here: making these required checks

The "Protect develop" ruleset has no required_status_checks rule, so right
now these scans run and report but do not block a merge on failure. Adding that
needs a separate ruleset update once these jobs have run at least once (GitHub
requires a status check to have reported before it can be selected as
required).

Test plan

  • pytest -- 327 passed
  • pre-commit run --all-files -- clean
  • pip-audit run locally in a clean venv against the actual .[dev,ops]
    install -- clean after the pip/setuptools upgrade step

Runs on every PR and push to develop/main:

- code-scan: CodeQL Python analysis, results in the repo's code scanning
  alerts.
- dependency-scan: actions/dependency-review-action (fails PRs that
  introduce high-severity vulnerable or license-incompatible deps) plus
  pip-audit against the actual installed dependency tree, PR-only since
  dependency-review compares base vs head. Upgrades pip/setuptools
  before auditing -- verified locally that a stock venv's bundled
  setuptools 59.6.0 carries three CVEs of its own, which would fail
  every run on bootstrap tooling rather than this project's real
  dependencies.
- secret-scan: Gitleaks, full history fetch, push and PR.

Also enabled at the repo level (not a file change, so not in this diff):
secret scanning, secret scanning push protection, and Dependabot
security updates -- all were "disabled", including secret scanning,
which is normally free and on by default for public repos.

None of these are required status checks yet -- the "Protect develop"
ruleset has no required_status_checks rule, so right now these run and
report but do not block a merge. That needs a separate ruleset update.
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Both new jobs failed immediately on PR #13's first run:

- gitleaks/gitleaks-action requires a paid GITLEAKS_LICENSE for
  org-owned repos (bawbel is an org; the free tier is personal-account
  only). Switched to calling the gitleaks CLI directly -- the tool
  itself is fully open source (Apache-2.0), only the GitHub Action
  wrapper has the org-licensing gate. Version pinned (8.30.1) for
  reproducible runs rather than resolved at run time.

- dependency-review-action needs the repo's Dependency graph feature
  enabled; it wasn't. Enabled via the vulnerability-alerts API (repo
  setting, not a file change).

Running gitleaks against this repo's actual history (locally, before
wiring it back in) found 6 "leaks" -- all in tests/test_m2_policy.py,
which deliberately contains fake JWT/GitLab-PAT strings as fixtures for
policy/manifest.py's own secret-scan detector, not real credentials.
Added .gitleaks.toml with a path-scoped allowlist for that one file
rather than disabling the check; verified locally it suppresses exactly
those six and nothing else ("no leaks found").
Splits ci.yml into three separate workflow files (code-scan.yml,
dependency-scan.yml, secret-scan.yml) -- GitHub's native workflow
badges are per-workflow-file, not per-job, so a combined workflow
can't produce three distinct badges. Same jobs, same triggers, just
separated so each has its own README badge.

README additions:
- Badges for the three new security scans, pointing at develop (where
  they actually run continuously; main doesn't have them yet).
- The gate.yaml sample from DESIGN.md 3.1, since the Quickstart section
  referenced --config gate.yaml several times without ever showing
  what one looks like. Verified against the real config loader
  (bawbel_gate.mux.config.load_config), not just pasted in --
  it parses cleanly.

CHANGELOG.md: Keep a Changelog format, single [Unreleased] section.
No version has been tagged yet, so there's nothing to backdate against;
the M0-M7 build stays in README's milestone table rather than being
itemized here. Covers everything since that baseline: the multiplexer
fix, hub fixes, console dashboard, governance docs, PyPI packaging, and
this CI security pipeline.
@chaksaray
chaksaray merged commit 592d2e7 into develop Jul 11, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants