ci(security): add Python SAST via Ruff bandit rules and CodeQL scanning#5738
Open
leseb wants to merge 4 commits intoogx-ai:mainfrom
Open
ci(security): add Python SAST via Ruff bandit rules and CodeQL scanning#5738leseb wants to merge 4 commits intoogx-ai:mainfrom
leseb wants to merge 4 commits intoogx-ai:mainfrom
Conversation
Enable the flake8-bandit rule set ("S") in Ruff to catch security issues
such as hardcoded passwords, SQL injection, unsafe subprocess calls, and
insecure cryptographic usage at lint time.
S101 (assert) is globally ignored since assert is used extensively as an
internal invariant pattern throughout the codebase. Per-file-ignores
suppress known false positives: env var template defaults in provider
configs (S105/S106/S107), legitimate subprocess usage in CLI tools
(S603/S607), and table-name interpolation in storage layers already
covered by the custom SQL injection pre-commit hook (S608).
Test files get broad security rule suppression since test fixtures
legitimately use hardcoded credentials, temp files, and assertions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Sébastien Han <seb@redhat.com>
Extend the CodeQL workflow to scan Python source code alongside GitHub Actions. Python is added to the language matrix and the paths trigger is expanded to include src/ so the workflow runs on Python changes. The security-extended query suite was already configured and will now apply to Python as well, covering SQL injection, path traversal, command injection, and other OWASP categories. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Sébastien Han <seb@redhat.com>
…ripts Extend the Ruff security rule suppressions to cover benchmarking mock servers (S104, S110, S311), client SDK templates (S110, S112, S113), and codegen scripts (S110, S112, S603, S607) which legitimately use patterns flagged by bandit rules. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Sébastien Han <seb@redhat.com>
leseb
requested review from
bbrowning,
cdoern,
franciscojavierarceo,
mattf and
raghotham
as code owners
Signed-off-by: Sébastien Han <seb@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
S(flake8-bandit) security rule set for Python SAST, catching issues like hardcoded passwords, unsafe subprocess calls, and SQL injection patterns at lint timesrc/per-file-ignoresto suppress known false positives (test fixtures, CLI subprocess calls, SQL table name interpolation guarded by existing hooks)Test plan
uv run ruff checkpasses with the new rules enabledCo-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com