diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..48676ba --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,53 @@ +name: Security Scanning + +on: + pull_request: + branches: [main, dev] + push: + branches: [main, dev] + schedule: + - cron: "0 0 * * 0" # Weekly on Sundays at midnight UTC + +jobs: + dependency-scan: + name: Dependency Vulnerability Scan + permissions: + contents: read + security-events: write + actions: read + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 + with: + scan-args: |- + --lockfile=requirements.txt:./uv.lock + fail-on-vuln: false # Don't fail the build, just report findings + + code-scan: + name: Code Security Scan + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write # For uploading SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v3 + + - name: Set up Python + run: uv python install 3.11 + + - name: Run Bandit security scan + run: | + uv tool install bandit[sarif] + uv tool run bandit -r src/ -f sarif -o bandit.sarif + continue-on-error: true # Don't fail the build, just report findings + + - name: Upload Bandit results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() # Upload even if scan found issues + with: + sarif_file: bandit.sarif + category: code-security diff --git a/README.md b/README.md index 463e372..987fae6 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ A modern Python client library for accessing Geological Survey of Sweden (SGU) g [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![codecov](https://codecov.io/gh/officialankan/sgu-client/branch/main/graph/badge.svg)](https://codecov.io/gh/officialankan/sgu-client) [![Code style: ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) +[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit) +[![Security Scanning](https://github.com/officialankan/sgu-client/actions/workflows/security.yml/badge.svg)](https://github.com/officialankan/sgu-client/actions/workflows/security.yml) > This package is not affiliated with or endorsed by SGU. diff --git a/docs/source/conf.py b/docs/source/conf.py index 7939608..a9ceb2d 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -16,7 +16,7 @@ project = "sgu-client" copyright = f"{datetime.now().year}, Anders Retzner" author = "Anders Retzner" -release = "0.4.2" +release = "0.4.3" # -- General configuration --------------------------------------------------- # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration diff --git a/pyproject.toml b/pyproject.toml index 2e3809e..6c0141a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "sgu-client" -version = "0.4.2" +version = "0.4.3" description = "A modern Python client library for accessing Geological Survey of Sweden groundwater data APIs with type safety and pandas integration" readme = "README.md" authors = [{ name = "Anders Retzner", email = "anders.retzner@gmail.com" }] diff --git a/src/sgu_client/__init__.py b/src/sgu_client/__init__.py index dc55a27..b10c7f6 100644 --- a/src/sgu_client/__init__.py +++ b/src/sgu_client/__init__.py @@ -10,7 +10,7 @@ ) from .sgu_client import SGUClient -__version__ = "0.4.2" +__version__ = "0.4.3" __all__ = [ "SGUAPIError", "SGUClient", diff --git a/uv.lock b/uv.lock index 08b754d..47f9cd9 100644 --- a/uv.lock +++ b/uv.lock @@ -715,7 +715,7 @@ wheels = [ [[package]] name = "sgu-client" -version = "0.4.2" +version = "0.4.3" source = { editable = "." } dependencies = [ { name = "pydantic" },