Skip to content

feat(security): add Bandit SAST to CI/CD pipeline#264

Merged
mvillmow merged 2 commits into
mainfrom
157-auto-impl
Jun 29, 2026
Merged

feat(security): add Bandit SAST to CI/CD pipeline#264
mvillmow merged 2 commits into
mainfrom
157-auto-impl

Conversation

@mvillmow

@mvillmow mvillmow commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Add Static Application Security Testing (Bandit) as a required CI check, pre-commit hook, and local development task. Closes the gap where secrets (gitleaks) and dependency (pip-audit) scanning existed but no AST-level analyzer scanned Python source for injection, deserialization, and code-level vulnerabilities.

Tool choice — Bandit (PyCQA standard, AST-based, medium+ severity threshold):

  • Catches exploitable vulnerabilities: shell injection, eval, pickle, hardcoded secrets
  • Suppresses low-severity informational noise
  • Integrates with pixi like ruff/mypy/yamllint (existing pattern)
  • Known working in sister repos (prior-learnings knowledge base)

Test plan

  • Local bandit scan passes: pixi run python -m bandit -ll --ini .bandit -r src/telemachy
  • Pre-commit hook wired and tested: pixi run pre-commit run bandit --all-files
  • Added to 'just check' local CI gate (runs after mypy)
  • All existing tests pass: pixi run pytest (48 passed)
  • Ruff lint passes: pixi run ruff check src tests
  • GitHub Actions all SHA-pinned (26/26) — fixed pre-existing upload-artifact@v7 inconsistency
  • Suppressed B108 (hardcoded /tmp) in models.py with inline rationale

Follow-up actions

Branch protection required checks — manually update via admin command to include security/sast-scan.
GitHub issue will be opened to track this (prevents "silently forgotten" pattern).

Rollback path (if day-1 false positives cannot be inline-suppressed):
Revert only the security-sast-scan job block from .github/workflows/_required.yml and re-merge,
leaving .bandit/pixi/pre-commit in place for opt-in local use. Reference this PR in that issue.

Closes #157

🤖 Generated with Claude Code

@mvillmow mvillmow enabled auto-merge (squash) June 3, 2026 13:03
@mvillmow mvillmow mentioned this pull request Jun 19, 2026
Open
mvillmow
mvillmow commented Jun 20, 2026
View reviewed changes

@mvillmow mvillmow left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — Bandit SAST added as required CI job + pixi/justfile/pre-commit/.bandit; clean B108 inline-suppressed, upload-artifact SHA-pinned, pass_filenames:false correct.

@mvillmow mvillmow mentioned this pull request Jun 20, 2026
Open
@mvillmow mvillmow force-pushed the 157-auto-impl branch 2 times, most recently from 77a5b09 to 8bcd211 Compare June 29, 2026 06:19
mvillmow and others added 2 commits June 29, 2026 00:59
@mvillmow @claude
feat(security): add Bandit SAST to CI/CD pipeline and local dev tooling
b853f86 
Add Static Application Security Testing via Bandit (medium+ severity) as a required CI check, pre-commit hook, and local development task. This closes the gap where secrets (gitleaks) and dependency (pip-audit) scanning existed but no AST-level analyzer scanned Python source for injection, deserialization, and code-level vulnerabilities.

**Changes:**
- Create .bandit INI config (repo root) with targets=src/telemachy, recursive=true
- Add bandit>=1.7.5 to pixi.toml dev dependencies
- Add 'pixi run python -m bandit' task to pixi.toml and justfile
- Wire bandit into 'just check' local CI gate after mypy
- Add bandit pre-commit hook (language: system, pass_filenames: false)
- Add security-sast-scan CI job to .github/workflows/_required.yml as required check
- Suppress B108 (hardcoded /tmp) in models.py with rationale (ephemeral agent dir)
- Fix pre-existing upload-artifact@v7 inconsistent pinning -> v5.0.0 SHA
- Update CLAUDE.md with bandit guidance and new common commands

**Verification:**
- pixi run python -m bandit passes locally (1 nosec suppression for valid case)
- All GitHub Actions now fully SHA-pinned (26/26)
- Pre-commit hook executes and passes on all files
- Existing tests all pass (48 passed)
- Scopes equivalent: .pre-commit-config.yaml and CI job cover identical Python files

**Follow-up:**
Branch protection required checks will need manual update to include security/sast-scan.
If day-1 false positives cannot be inline-suppressed, rollback procedure: revert
security-sast-scan job from _required.yml, keep .bandit/pixi/pre-commit for opt-in use.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
@mvillmow
chore(deps): regenerate pixi.lock to pick up pydantic-settings>=2.14.2 (
ce13d1b 
GHSA-4xgf-cpjx-pc3j)

Signed-off-by: Micah Villmow <4211002+mvillmow@users.noreply.github.com>
Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
@mvillmow mvillmow merged commit f907814 into main Jun 29, 2026
13 of 14 checks passed
@mvillmow mvillmow deleted the 157-auto-impl branch June 29, 2026 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state:implementation-go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[MAJOR] §8: No SAST integration — no code-level security analysis tool in CI

1 participant

@mvillmow