From 5d7c0587cf298821ae838e3c0f5837653697fe8c Mon Sep 17 00:00:00 2001 From: Anders Retzner Date: Tue, 13 Jan 2026 10:30:47 +0100 Subject: [PATCH 1/4] security: add security workflow with OSV scanning and bandit code check --- .github/workflows/security.yml | 69 ++++++++++++++++++++++++++++++++++ README.md | 2 + 2 files changed, 71 insertions(+) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..0eb63b4 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,69 @@ +name: Security Scanning + +on: + pull_request: + branches: [ main, dev ] + push: + branches: [ main, dev ] + schedule: + - cron: '0 0 * * 0' # Weekly on Sundays at midnight UTC + +jobs: + dependency-scan: + name: Dependency Vulnerability Scan + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write # For uploading SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run OSV Scanner + uses: google/osv-scanner/actions/scanner@v1 + with: + scan-args: |- + --lockfile=requirements.txt:./uv.lock + to-sarif: true + output: osv-results.sarif + continue-on-error: true # Don't fail the build, just report findings + + - name: Upload OSV Scanner results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() # Upload even if scan found vulnerabilities + with: + sarif_file: osv-results.sarif + category: dependencies + + code-scan: + name: Code Security Scan + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write # For uploading SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v3 + + - name: Set up Python + run: uv python install 3.11 + + - name: Run Bandit security scan + run: | + uv tool install bandit[sarif] + uv tool run bandit -r src/ -f sarif -o bandit.sarif + continue-on-error: true # Don't fail the build, just report findings + + - name: Upload Bandit results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() # Upload even if scan found issues + with: + sarif_file: bandit.sarif + category: code-security diff --git a/README.md b/README.md index 463e372..987fae6 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ A modern Python client library for accessing Geological Survey of Sweden (SGU) g [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![codecov](https://codecov.io/gh/officialankan/sgu-client/branch/main/graph/badge.svg)](https://codecov.io/gh/officialankan/sgu-client) [![Code style: ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) +[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit) +[![Security Scanning](https://github.com/officialankan/sgu-client/actions/workflows/security.yml/badge.svg)](https://github.com/officialankan/sgu-client/actions/workflows/security.yml) > This package is not affiliated with or endorsed by SGU. From 94b4ed5e33c794d9b6e58faffbe921551769cf35 Mon Sep 17 00:00:00 2001 From: Anders Retzner Date: Tue, 13 Jan 2026 10:38:13 +0100 Subject: [PATCH 2/4] fix: use OSV-Scanner reusable workflow for SARIF output --- .github/workflows/security.yml | 112 ++++++++++++++------------------- 1 file changed, 48 insertions(+), 64 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0eb63b4..48676ba 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,69 +1,53 @@ name: Security Scanning on: - pull_request: - branches: [ main, dev ] - push: - branches: [ main, dev ] - schedule: - - cron: '0 0 * * 0' # Weekly on Sundays at midnight UTC + pull_request: + branches: [main, dev] + push: + branches: [main, dev] + schedule: + - cron: "0 0 * * 0" # Weekly on Sundays at midnight UTC jobs: - dependency-scan: - name: Dependency Vulnerability Scan - runs-on: ubuntu-latest - - permissions: - contents: read - security-events: write # For uploading SARIF results - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run OSV Scanner - uses: google/osv-scanner/actions/scanner@v1 - with: - scan-args: |- - --lockfile=requirements.txt:./uv.lock - to-sarif: true - output: osv-results.sarif - continue-on-error: true # Don't fail the build, just report findings - - - name: Upload OSV Scanner results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() # Upload even if scan found vulnerabilities - with: - sarif_file: osv-results.sarif - category: dependencies - - code-scan: - name: Code Security Scan - runs-on: ubuntu-latest - - permissions: - contents: read - security-events: write # For uploading SARIF results - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install uv - uses: astral-sh/setup-uv@v3 - - - name: Set up Python - run: uv python install 3.11 - - - name: Run Bandit security scan - run: | - uv tool install bandit[sarif] - uv tool run bandit -r src/ -f sarif -o bandit.sarif - continue-on-error: true # Don't fail the build, just report findings - - - name: Upload Bandit results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() # Upload even if scan found issues - with: - sarif_file: bandit.sarif - category: code-security + dependency-scan: + name: Dependency Vulnerability Scan + permissions: + contents: read + security-events: write + actions: read + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 + with: + scan-args: |- + --lockfile=requirements.txt:./uv.lock + fail-on-vuln: false # Don't fail the build, just report findings + + code-scan: + name: Code Security Scan + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write # For uploading SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v3 + + - name: Set up Python + run: uv python install 3.11 + + - name: Run Bandit security scan + run: | + uv tool install bandit[sarif] + uv tool run bandit -r src/ -f sarif -o bandit.sarif + continue-on-error: true # Don't fail the build, just report findings + + - name: Upload Bandit results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() # Upload even if scan found issues + with: + sarif_file: bandit.sarif + category: code-security From 416359569692b4eba5775091fbf75dc124ad1ec5 Mon Sep 17 00:00:00 2001 From: Anders Retzner Date: Tue, 13 Jan 2026 10:44:32 +0100 Subject: [PATCH 3/4] chore: bump version to 0.4.3 --- docs/source/conf.py | 2 +- pyproject.toml | 2 +- src/sgu_client/__init__.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/conf.py b/docs/source/conf.py index 7939608..a9ceb2d 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -16,7 +16,7 @@ project = "sgu-client" copyright = f"{datetime.now().year}, Anders Retzner" author = "Anders Retzner" -release = "0.4.2" +release = "0.4.3" # -- General configuration --------------------------------------------------- # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration diff --git a/pyproject.toml b/pyproject.toml index 2e3809e..6c0141a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "sgu-client" -version = "0.4.2" +version = "0.4.3" description = "A modern Python client library for accessing Geological Survey of Sweden groundwater data APIs with type safety and pandas integration" readme = "README.md" authors = [{ name = "Anders Retzner", email = "anders.retzner@gmail.com" }] diff --git a/src/sgu_client/__init__.py b/src/sgu_client/__init__.py index dc55a27..b10c7f6 100644 --- a/src/sgu_client/__init__.py +++ b/src/sgu_client/__init__.py @@ -10,7 +10,7 @@ ) from .sgu_client import SGUClient -__version__ = "0.4.2" +__version__ = "0.4.3" __all__ = [ "SGUAPIError", "SGUClient", From b33f734d5fb8a43a63f4d1e8883b080ab2d90a14 Mon Sep 17 00:00:00 2001 From: Anders Retzner Date: Tue, 13 Jan 2026 10:48:30 +0100 Subject: [PATCH 4/4] chore: update uv.lock for 0.4.3 --- uv.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uv.lock b/uv.lock index 08b754d..47f9cd9 100644 --- a/uv.lock +++ b/uv.lock @@ -715,7 +715,7 @@ wheels = [ [[package]] name = "sgu-client" -version = "0.4.2" +version = "0.4.3" source = { editable = "." } dependencies = [ { name = "pydantic" },