-
Notifications
You must be signed in to change notification settings - Fork 0
build: hash-pin dependencies + SBOM + blocking pip-audit (closes #3) #9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -25,11 +25,11 @@ jobs: | |
| with: | ||
| python-version: "3.12" | ||
| cache: pip | ||
| cache-dependency-path: aegis/requirements.txt | ||
| - name: Install deps | ||
| cache-dependency-path: aegis/requirements.lock | ||
| - name: Install deps (hash-pinned) | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install -r requirements.txt | ||
| pip install --require-hashes -r requirements.lock | ||
| - name: Run test suite | ||
| run: python -m pytest -q | ||
|
|
||
|
|
@@ -48,20 +48,37 @@ jobs: | |
| run: bandit -c pyproject.toml -r aegis --severity-level medium --confidence-level medium | ||
|
|
||
| deps: | ||
| name: Dependency audit (pip-audit) — informational | ||
| name: Dependency audit (pip-audit) — blocking | ||
| runs-on: ubuntu-latest | ||
| # Informational until requirements are hash-pinned + triaged (see NEXT_STEPS.md | ||
| # P0.3). Flip to blocking once the dependency tree is locked. | ||
| continue-on-error: true | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | ||
| with: | ||
| python-version: "3.12" | ||
| - name: Install pip-audit | ||
| run: pip install pip-audit==2.10.0 | ||
| - name: Audit dependencies | ||
| run: pip-audit -r requirements.txt --desc | ||
| # Blocks on any known CVE in the hash-pinned tree. Triage by bumping the pin | ||
| # in requirements.txt and regenerating requirements.lock (see NEXT_STEPS.md P0.3). | ||
| - name: Audit locked dependencies | ||
| run: pip-audit -r requirements.lock --strict --desc | ||
|
|
||
| sbom: | ||
| name: SBOM (CycloneDX) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | ||
| with: | ||
| python-version: "3.12" | ||
| - name: Generate CycloneDX SBOM from the lockfile | ||
| run: | | ||
| pip install cyclonedx-bom==7.3.0 | ||
| cyclonedx-py requirements requirements.lock -o argus-sbom.cdx.json | ||
| - name: Upload SBOM artifact | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: argus-sbom | ||
| path: aegis/argus-sbom.cdx.json | ||
|
Comment on lines
+77
to
+81
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. issue (bug_risk): SBOM output path and uploaded artifact path appear to be mismatched. The SBOM is written as |
||
|
|
||
| secrets: | ||
| name: Secret scan (detect-secrets) — informational | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue (bug_risk): Lockfile path usage is inconsistent between cache configuration and install command.
cache-dependency-pathreferencesaegis/requirements.lock, while the install and SBOM steps userequirements.lockwithout theaegis/prefix. If the file is underaegis/, those commands will fail; if it’s at the repo root, the cache path is incorrect. Please pick a single location for the lockfile and update all references to match.