Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 26 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,11 @@ jobs:
with:
python-version: "3.12"
cache: pip
cache-dependency-path: aegis/requirements.txt
- name: Install deps
cache-dependency-path: aegis/requirements.lock
- name: Install deps (hash-pinned)
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install --require-hashes -r requirements.lock
Comment on lines +28 to +32

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Lockfile path usage is inconsistent between cache configuration and install command.

cache-dependency-path references aegis/requirements.lock, while the install and SBOM steps use requirements.lock without the aegis/ prefix. If the file is under aegis/, those commands will fail; if it’s at the repo root, the cache path is incorrect. Please pick a single location for the lockfile and update all references to match.

- name: Run test suite
run: python -m pytest -q

Expand All @@ -48,20 +48,37 @@ jobs:
run: bandit -c pyproject.toml -r aegis --severity-level medium --confidence-level medium

deps:
name: Dependency audit (pip-audit) — informational
name: Dependency audit (pip-audit) — blocking
runs-on: ubuntu-latest
# Informational until requirements are hash-pinned + triaged (see NEXT_STEPS.md
# P0.3). Flip to blocking once the dependency tree is locked.
continue-on-error: true
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: "3.12"
- name: Install pip-audit
run: pip install pip-audit==2.10.0
- name: Audit dependencies
run: pip-audit -r requirements.txt --desc
# Blocks on any known CVE in the hash-pinned tree. Triage by bumping the pin
# in requirements.txt and regenerating requirements.lock (see NEXT_STEPS.md P0.3).
- name: Audit locked dependencies
run: pip-audit -r requirements.lock --strict --desc

sbom:
name: SBOM (CycloneDX)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: "3.12"
- name: Generate CycloneDX SBOM from the lockfile
run: |
pip install cyclonedx-bom==7.3.0
cyclonedx-py requirements requirements.lock -o argus-sbom.cdx.json
- name: Upload SBOM artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: argus-sbom
path: aegis/argus-sbom.cdx.json
Comment on lines +77 to +81

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): SBOM output path and uploaded artifact path appear to be mismatched.

The SBOM is written as argus-sbom.cdx.json in the current directory, but the upload step looks for aegis/argus-sbom.cdx.json. Unless the job changes directories, the upload will fail due to a missing file. Please align the output and upload paths (either write to aegis/argus-sbom.cdx.json or adjust the upload path).


secrets:
name: Secret scan (detect-secrets) — informational
Expand Down
12 changes: 7 additions & 5 deletions aegis/docs/NEXT_STEPS.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,13 @@ least-privilege `permissions: contents: read`; no long-lived secrets.
> *Best practice:* OpenSSF post-`tj-actions`/`reviewdog` guide — mutable tags were the root
> cause of those 2025 supply-chain compromises. — OpenSSF Maintainers' Guide (2025).

### 🔭 3. Pin dependencies + generate an SBOM
`requirements.txt` still uses `>=` ranges. Move to a hash-pinned lockfile
(`pip-compile --generate-hashes` or `uv lock`), emit a Syft SBOM as a CI artifact, then flip
the `pip-audit` job from informational to **blocking**. For a security tool, reproducible
builds are table stakes.
### ✅ 3. Pin dependencies + generate an SBOM
`requirements.txt` remains the human-edited input; `requirements.lock`
(`pip-compile --generate-hashes`) is the fully hash-pinned tree CI installs with
`pip install --require-hashes`. CI now emits a **CycloneDX SBOM** (`argus-sbom.cdx.json`)
as an artifact, and the `pip-audit` job is **blocking** against the locked tree (currently
0 known CVEs). Regenerate the lock after editing `requirements.txt` with
`pip-compile --generate-hashes -o requirements.lock requirements.txt`.

---

Expand Down
Loading
Loading