From 2619fff4d2b9066a0f305186be0fdf4dbd6dfdf5 Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 14:46:55 +0800
Subject: [PATCH 1/8] Add security ci

---
 .github/workflows/security.yml | 53 ++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..dae8aa2
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,53 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  secret-detection:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks secret detection
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  dependency-review:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+
+  sast:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3

From 25f4e2258c9aa5e6169ec233fbb3329eca2f5faa Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 14:50:21 +0800
Subject: [PATCH 2/8] Improve error handling in
 LogicalTypeOptionsCheckReference by replacing assertions with RuntimeError
 for better debugging

---
 src/vowl/contracts/check_reference_generated.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/vowl/contracts/check_reference_generated.py b/src/vowl/contracts/check_reference_generated.py
index ef87e1d..7766b88 100644
--- a/src/vowl/contracts/check_reference_generated.py
+++ b/src/vowl/contracts/check_reference_generated.py
@@ -583,7 +583,8 @@ def count_where(*conditions: exp.Expression) -> exp.Expression:
                 if pattern is None:
                     # Fall through to JDK format pattern (validated in __init__)
                     pattern = _jdk_format_to_regex(val)
-                    assert pattern is not None  # guaranteed by _validate_format
+                    if pattern is None:
+                        raise RuntimeError(f"_jdk_format_to_regex returned None for '{val}' — _validate_format should have rejected this")
                 cast_col = exp.TryCast(
                     this=col, to=exp.DataType.build("VARCHAR"), safe=True
                 )
@@ -596,7 +597,8 @@ def count_where(*conditions: exp.Expression) -> exp.Expression:
 
             # date / timestamp / time — already validated in _validate_format
             pattern = _jdk_format_to_regex(val)
-            assert pattern is not None  # guaranteed by _validate_format
+            if pattern is None:
+                raise RuntimeError(f"_jdk_format_to_regex returned None for '{val}' — _validate_format should have rejected this")
             cast_col = exp.TryCast(
                 this=col, to=exp.DataType.build("VARCHAR"), safe=True
             )

From 108931587c29a2fb5e6a3a6d4fb8cd7a5fc9af53 Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 15:00:22 +0800
Subject: [PATCH 3/8] replace gitleaks with trufflehog instead as it doesnt
 require a license

---
 .github/workflows/security.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index dae8aa2..87daa03 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -17,10 +17,10 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Gitleaks secret detection
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: TruffleHog secret detection
+        uses: trufflesecurity/trufflehog@v3
+        with:
+          extra_args: --only-verified
 
   dependency-review:
     runs-on: ubuntu-latest

From 8652bea7b8eaff71a137fdad5ad30bd3048db17a Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 15:06:19 +0800
Subject: [PATCH 4/8] Changed Sast to semgrep

---
 .github/workflows/security.yml | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 87daa03..d1e5234 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -22,32 +22,32 @@ jobs:
         with:
           extra_args: --only-verified
 
-  dependency-review:
+  sast:
     runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
     permissions:
       contents: read
-      pull-requests: write
+      security-events: write
     steps:
       - uses: actions/checkout@v6
 
-      - name: Dependency review
-        uses: actions/dependency-review-action@v4
+      - name: Semgrep SAST
+        uses: semgrep/semgrep-action@v1
         with:
-          fail-on-severity: high
+          config: >-
+            p/python
+            p/bandit
+            p/secrets
 
-  sast:
+  dependency-review:
     runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
     permissions:
       contents: read
-      security-events: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
 
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4
         with:
-          languages: python
-
-      - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@v3
+          fail-on-severity: high

From c1ffa4029ecd249b69d26b43b7945a61958ab37e Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 15:55:20 +0800
Subject: [PATCH 5/8] fix trufflehog action

---
 .github/workflows/security.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index d1e5234..6997c5b 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -18,9 +18,9 @@ jobs:
           fetch-depth: 0
 
       - name: TruffleHog secret detection
-        uses: trufflesecurity/trufflehog@v3
+        uses: trufflesecurity/trufflehog@main
         with:
-          extra_args: --only-verified
+          extra_args: --results=verified,unknown
 
   sast:
     runs-on: ubuntu-latest

From 303e970e2445ef393e449a4fc2e13685e03860e5 Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 16:05:17 +0800
Subject: [PATCH 6/8] update sast from deprecated semgrep action

---
 .github/workflows/security.yml | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6997c5b..9f4efce 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -24,19 +24,13 @@ jobs:
 
   sast:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
+    container:
+      image: semgrep/semgrep
     steps:
       - uses: actions/checkout@v6
 
       - name: Semgrep SAST
-        uses: semgrep/semgrep-action@v1
-        with:
-          config: >-
-            p/python
-            p/bandit
-            p/secrets
+        run: semgrep scan --config p/python --config p/bandit --config p/secrets .
 
   dependency-review:
     runs-on: ubuntu-latest

From aec2dc5d057148fbbe63e28403cf6abee070ae12 Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 16:11:00 +0800
Subject: [PATCH 7/8] add fail on semgrep findings

---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 9f4efce..a72d9e3 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -30,7 +30,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Semgrep SAST
-        run: semgrep scan --config p/python --config p/bandit --config p/secrets .
+        run: semgrep scan --error --config p/python --config p/bandit --config p/secrets .
 
   dependency-review:
     runs-on: ubuntu-latest

From 75c4c4972905070ebd5d11f34fbfcdfb531b9f77 Mon Sep 17 00:00:00 2001
From: james_teo <jamestth97@gmail.com>
Date: Wed, 3 Jun 2026 16:13:34 +0800
Subject: [PATCH 8/8] Add slience semgrep on using subprocess

---
 src/vowl/contracts/models/generate_models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/vowl/contracts/models/generate_models.py b/src/vowl/contracts/models/generate_models.py
index 1fd271e..d963d8b 100644
--- a/src/vowl/contracts/models/generate_models.py
+++ b/src/vowl/contracts/models/generate_models.py
@@ -21,7 +21,7 @@
 
 # Bandit B404: This is a trusted, repository-maintained developer utility script
 # that intentionally invokes a local codegen CLI; subprocess is required here.
-import subprocess  # nosec B404
+import subprocess  # nosec B404 # nosemgrep: gitlab.bandit.B404
 import sys
 from pathlib import Path