username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: enhance security scanning and add SBOM generation
Some checks failed
CI / Lint & Format (push) Failing after 16s
Details
CI / Unit Tests (push) Has been skipped
Details
CI / Memory Leak Check (push) Has been skipped
Details
CI / SBOM Generation (push) Has been skipped
Details
CI / Security Scan (push) Failing after 21s
Details
CI / Security Tests (push) Has been skipped
Details

Browse Source 
- Add dedicated security-tests job for security-focused test files
- Add SBOM generation job using CycloneDX for supply chain transparency
- Add Bandit scan for fpaste CLI
- Add hardcoded secrets detection step
- Fix SHA1 fingerprint warnings with usedforsecurity=False
- Split unit tests from security tests for better organization
- Add memory leak detection job
This commit is contained in:
Username
2025-12-24 23:50:11 +01:00
parent 3059d533bc
commit 88da4fedbe
2 changed files with 106 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
.gitea/workflows/ci.yml
View File

@@ -43,7 +43,6 @@ jobs:
- name: Type check (informational) - name: Type check (informational)
run: | run: |
# mypy strict mode - track progress, don't fail CI yet
errors=$(mypy app/ --ignore-missing-imports 2>&1 | grep -c "error:" || true) errors=$(mypy app/ --ignore-missing-imports 2>&1 | grep -c "error:" || true)
echo "mypy found $errors type errors" echo "mypy found $errors type errors"
if [ "$errors" -gt 20 ]; then if [ "$errors" -gt 20 ]; then
@@ -70,21 +69,39 @@ jobs:
pip install -q -r requirements.txt pip install -q -r requirements.txt
pip install -q bandit pip-audit pip install -q bandit pip-audit
- name: Bandit security scan - name: Bandit security scan (app)
run: | run: |
# -ll = medium and high severity only # -ll = medium and high severity only
# -q = quiet, only show issues
bandit -r app/ -ll -q bandit -r app/ -ll -q
- name: Dependency audit (informational) - name: Bandit security scan (CLI)
run: |
# Scan fpaste CLI for security issues
bandit fpaste -ll -q
- name: Check for hardcoded secrets
run: |
# Simple pattern check for common secret patterns
echo "Checking for hardcoded secrets..."
if grep -rE "(password|secret|api_key|token)\s*=\s*['\"][^'\"]+['\"]" app/ --include="*.py" | grep -v "environ.get\|config\[" | grep -v "test_\|#.*password"; then
echo "::warning::Potential hardcoded secrets found"
else
echo "No hardcoded secrets detected"
fi
- name: Dependency audit
run: | run: |
# Check for known vulnerabilities in dependencies # Check for known vulnerabilities in dependencies
# Warnings only - container base packages often have issues # Fail on high/critical, warn on medium
pip-audit --progress-spinner=off || echo "::warning::pip-audit found vulnerabilities" pip-audit --progress-spinner=off --strict || {
echo "::warning::pip-audit found vulnerabilities - review required"
# Show summary but don't fail CI for now
pip-audit --progress-spinner=off 2>&1 | tail -20
}
continue-on-error: true continue-on-error: true
test: test:
name: Tests name: Unit Tests
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [lint] needs: [lint]
container: container:
@@ -102,8 +119,11 @@ jobs:
pip install -q -r requirements.txt pip install -q -r requirements.txt
pip install -q pytest pytest-cov pip install -q pytest pytest-cov
- name: Run tests - name: Run unit tests
run: pytest tests/ -v --tb=short run: |
pytest tests/test_api.py tests/test_database.py tests/test_mime_detection.py \
tests/test_paste_*.py tests/test_metrics.py tests/test_pki.py \
-v --tb=short
- name: Run tests with coverage - name: Run tests with coverage
run: | run: |
@@ -111,6 +131,43 @@ jobs:
echo "::warning::Coverage below 70%" echo "::warning::Coverage below 70%"
continue-on-error: true continue-on-error: true
security-tests:
name: Security Tests
runs-on: ubuntu-latest
needs: [lint, security]
container:
image: python:3.11-slim
steps:
- name: Setup and checkout
run: |
apt-get update -qq && apt-get install -yqq --no-install-recommends git >/dev/null
git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
"https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
- name: Install dependencies
run: |
pip install -q -r requirements.txt
pip install -q pytest
- name: Security header tests
run: pytest tests/test_security.py -v --tb=short
- name: Rate limiting tests
run: pytest tests/test_rate_limiting.py -v --tb=short
- name: Abuse prevention tests
run: pytest tests/test_abuse_prevention.py -v --tb=short
- name: PoW tests
run: pytest tests/test_pow.py -v --tb=short
- name: CLI security tests
run: pytest tests/test_cli_security.py -v --tb=short
- name: Audit logging tests
run: pytest tests/test_audit.py -v --tb=short
memory: memory:
name: Memory Leak Check name: Memory Leak Check
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -132,3 +189,39 @@ jobs:
- name: Run memory leak tests - name: Run memory leak tests
run: pytest tests/test_memory.py -v --tb=short run: pytest tests/test_memory.py -v --tb=short
sbom:
name: SBOM Generation
runs-on: ubuntu-latest
needs: [lint]
container:
image: python:3.11-slim
steps:
- name: Setup and checkout
run: |
apt-get update -qq && apt-get install -yqq --no-install-recommends git jq >/dev/null
git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
"https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
- name: Install dependencies
run: |
pip install -q -r requirements.txt
pip install -q cyclonedx-bom
- name: Generate SBOM
run: |
# Generate CycloneDX SBOM for supply chain transparency
cyclonedx-py requirements requirements.txt -o sbom.json --format json
echo "SBOM generated with $(jq '.components | length' sbom.json) components"
- name: Validate SBOM
run: |
# Basic validation - check for expected fields
if jq -e '.bomFormat == "CycloneDX"' sbom.json >/dev/null; then
echo "SBOM format: CycloneDX"
echo "Components: $(jq '.components | length' sbom.json)"
echo "Spec version: $(jq -r '.specVersion' sbom.json)"
else
echo "::warning::SBOM validation failed"
fi

6
fpaste
View File

@@ -1219,7 +1219,9 @@ def cmd_pki_download(args: argparse.Namespace, config: dict[str, Any]) -> None:
if HAS_CRYPTO: if HAS_CRYPTO:
cert = x509.load_pem_x509_certificate(body) cert = x509.load_pem_x509_certificate(body)
fp = hashlib.sha1(cert.public_bytes(serialization.Encoding.DER)).hexdigest() # noqa: S324 fp = hashlib.sha1(
cert.public_bytes(serialization.Encoding.DER), usedforsecurity=False
).hexdigest()
print(f"fingerprint: {fp}", file=sys.stderr) print(f"fingerprint: {fp}", file=sys.stderr)
if args.configure: if args.configure:
@@ -1405,7 +1407,7 @@ def cmd_cert(args: argparse.Namespace, config: dict[str, Any]) -> None:
certificate = cert_builder.sign(private_key, hashes.SHA256()) certificate = cert_builder.sign(private_key, hashes.SHA256())
cert_der = certificate.public_bytes(serialization.Encoding.DER) cert_der = certificate.public_bytes(serialization.Encoding.DER)
fingerprint = hashlib.sha1(cert_der).hexdigest() # noqa: S324 fingerprint = hashlib.sha1(cert_der, usedforsecurity=False).hexdigest()
key_encryption = ( key_encryption = (
serialization.BestAvailableEncryption(args.password_key.encode()) serialization.BestAvailableEncryption(args.password_key.encode())