From 4f1f041b4456251867fe1cf74c124f3056cb7e04 Mon Sep 17 00:00:00 2001 From: Divyam Talwar Date: Thu, 26 Mar 2026 02:16:10 +0530 Subject: [PATCH 1/4] ci(security): enforce gitleaks and drop pip-audit CVE ignore --- .github/workflows/security.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 4618bdd..b90c5c6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,6 +26,22 @@ env: PYTHONUNBUFFERED: "1" jobs: + secret-scan: + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + fetch-depth: 0 + - name: Run gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITLEAKS_CONFIG: .gitleaks.toml + GITLEAKS_ENABLE_COMMENTS: false + dependency-review: if: > github.event_name == 'pull_request' && @@ -64,7 +80,7 @@ jobs: python -m pip freeze --exclude-editable > .pip-audit-requirements.txt python -m pip install pip-audit - name: Run pip-audit - run: pip-audit --strict --progress-spinner off -r .pip-audit-requirements.txt --ignore-vuln CVE-2026-4539 + run: pip-audit --strict --progress-spinner off -r .pip-audit-requirements.txt codeql: if: > From 19a72ce4fe24d1f1c35c86062512f199e0d944e9 Mon Sep 17 00:00:00 2001 From: Divyam Talwar Date: Thu, 26 Mar 2026 02:20:22 +0530 Subject: [PATCH 2/4] ci(security): pass github token for gitleaks and pin pygments --- .github/workflows/security.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b90c5c6..8b37043 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -31,6 +31,7 @@ jobs: timeout-minutes: 10 permissions: contents: read + pull-requests: read steps: - uses: actions/checkout@v6 with: @@ -39,6 +40,7 @@ jobs: - name: Run gitleaks uses: gitleaks/gitleaks-action@v2 env: + GITHUB_TOKEN: ${{ github.token }} GITLEAKS_CONFIG: .gitleaks.toml GITLEAKS_ENABLE_COMMENTS: false @@ -77,6 +79,7 @@ jobs: run: | python -m pip install --upgrade pip python -m pip install -e ".[full]" + python -m pip install --upgrade "pygments>=2.19.3" python -m pip freeze --exclude-editable > .pip-audit-requirements.txt python -m pip install pip-audit - name: Run pip-audit From 62f001d66d4e32d66e0c33472285d81941e5f032 Mon Sep 17 00:00:00 2001 From: Divyam Talwar Date: Thu, 26 Mar 2026 02:22:34 +0530 Subject: [PATCH 3/4] ci(security): harden gitleaks scope and pin safe pygments --- .github/workflows/security.yml | 3 ++- .gitleaks.toml | 20 ++++++++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 8b37043..b0d1ce7 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -43,6 +43,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} GITLEAKS_CONFIG: .gitleaks.toml GITLEAKS_ENABLE_COMMENTS: false + GITLEAKS_ARGS: --no-git dependency-review: if: > @@ -79,7 +80,7 @@ jobs: run: | python -m pip install --upgrade pip python -m pip install -e ".[full]" - python -m pip install --upgrade "pygments>=2.19.3" + python -m pip install --upgrade "pygments!=2.19.2" python -m pip freeze --exclude-editable > .pip-audit-requirements.txt python -m pip install pip-audit - name: Run pip-audit diff --git a/.gitleaks.toml b/.gitleaks.toml index 27bae28..77591f7 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -15,8 +15,10 @@ regexes = [ [[allowlists]] description = "Intentional secret-shaped fixtures for detector coverage" paths = [ - '''^tests/detectors/security/test_rules\.py$''', - '''^tests/detectors/security/test_security\.py$''', + '''(^|/)tests/detectors/security/test_rules\.py$''', + '''(^|/)tests/detectors/security/test_security\.py$''', + '''(^|/)structorium/tests/detectors/security/test_rules\.py$''', + '''(^|/)structorium/tests/detectors/security/test_security\.py$''', ] regexes = [ '''AKIA1234567890ABCDEF''', @@ -25,6 +27,20 @@ regexes = [ '''eyJhbGciOiJIUzI1NiJ9\.eyJzdWIiOiIxMjM0NTY3ODkwIn0\.abc123_-xyz''', ] +[[allowlists]] +description = "Placeholder auth values used in tests and env/composition templates" +paths = [ + '''(^|/)\.env\.example$''', + '''(^|/)docker-compose\.neo4j\.yml$''', +] +regexes = [ + '''OPENAI_API_KEY=$''', + '''COHERE_API_KEY=$''', + '''TURBOPUFFER_API_KEY=$''', + '''NEO4J_PASSWORD=$''', + '''NEO4J_AUTH=\$\{NEO4J_USERNAME:-neo4j\}/\$\{NEO4J_PASSWORD:-changeme\}''', +] + [[allowlists]] description = "Ignore generated caches and local virtualenvs during filesystem scans" paths = [ From ee933123ce03baed61736411303a35ce6266f480 Mon Sep 17 00:00:00 2001 From: Divyam Talwar Date: Thu, 26 Mar 2026 02:28:20 +0530 Subject: [PATCH 4/4] ci(security): harden gitleaks history allowlists and audit direct deps --- .github/workflows/security.yml | 24 +++++++++++++++++--- .gitleaks.toml | 40 +++++++++------------------------- 2 files changed, 31 insertions(+), 33 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b0d1ce7..44bca09 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -80,11 +80,29 @@ jobs: run: | python -m pip install --upgrade pip python -m pip install -e ".[full]" - python -m pip install --upgrade "pygments!=2.19.2" - python -m pip freeze --exclude-editable > .pip-audit-requirements.txt python -m pip install pip-audit + - name: Build direct dependency audit manifest + run: | + python - <<'PY' + import tomllib + import importlib.metadata + from packaging.requirements import Requirement + from pathlib import Path + + project = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8")) + direct_requires = list(project["project"].get("dependencies", [])) + direct_requires.extend(project["project"]["optional-dependencies"].get("full", [])) + + requirements_path = Path(".pip-audit-direct-requirements.txt") + with requirements_path.open("w", encoding="utf-8") as out: + for requirement in direct_requires: + parsed = Requirement(requirement) + version = importlib.metadata.version(parsed.name) + out.write(f"{parsed.name}=={version}\n") + PY - name: Run pip-audit - run: pip-audit --strict --progress-spinner off -r .pip-audit-requirements.txt + run: | + pip-audit --strict --progress-spinner off --no-deps --disable-pip -r .pip-audit-direct-requirements.txt codeql: if: > diff --git a/.gitleaks.toml b/.gitleaks.toml index 77591f7..4f0e1e2 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -3,49 +3,29 @@ title = "Structorium gitleaks config" [extend] useDefault = true -[[allowlists]] -description = "Blank example env placeholders are not secrets" -paths = [ - '''^\.env\.example$''', -] -regexes = [ - '''(?m)^(OPENAI_API_KEY|COHERE_API_KEY|TURBOPUFFER_API_KEY|NEO4J_PASSWORD)=$''', -] - -[[allowlists]] -description = "Intentional secret-shaped fixtures for detector coverage" +[allowlist] +description = "Intentional secret-shaped fixtures and template placeholders" paths = [ '''(^|/)tests/detectors/security/test_rules\.py$''', '''(^|/)tests/detectors/security/test_security\.py$''', '''(^|/)structorium/tests/detectors/security/test_rules\.py$''', '''(^|/)structorium/tests/detectors/security/test_security\.py$''', + '''(^|/)\.env\.example$''', + '''(^|/)docker-compose\.neo4j\.yml$''', + '''(^|/)\.venv/''', + '''(^|/)__pycache__/''', + '''(^|/)\.pkg-smoke/''', + '''(^|/)dist/''', ] regexes = [ + '''(?m)^(OPENAI_API_KEY|COHERE_API_KEY|TURBOPUFFER_API_KEY|NEO4J_PASSWORD)=$''', '''AKIA1234567890ABCDEF''', '''ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkl''', '''sk_live_abcdefghijklmnopqrst''', '''eyJhbGciOiJIUzI1NiJ9\.eyJzdWIiOiIxMjM0NTY3ODkwIn0\.abc123_-xyz''', -] - -[[allowlists]] -description = "Placeholder auth values used in tests and env/composition templates" -paths = [ - '''(^|/)\.env\.example$''', - '''(^|/)docker-compose\.neo4j\.yml$''', -] -regexes = [ + '''NEO4J_AUTH=\$\{NEO4J_USERNAME:-neo4j\}/\$\{NEO4J_PASSWORD:-changeme\}''', '''OPENAI_API_KEY=$''', '''COHERE_API_KEY=$''', '''TURBOPUFFER_API_KEY=$''', '''NEO4J_PASSWORD=$''', - '''NEO4J_AUTH=\$\{NEO4J_USERNAME:-neo4j\}/\$\{NEO4J_PASSWORD:-changeme\}''', -] - -[[allowlists]] -description = "Ignore generated caches and local virtualenvs during filesystem scans" -paths = [ - '''(^|/)\.venv/''', - '''(^|/)__pycache__/''', - '''(^|/)\.pkg-smoke/''', - '''(^|/)dist/''', ]