cardinalblue · github-actions · Dec 9, 2025 · Dec 10, 2025 · Dec 11, 2025 · Dec 11, 2025
diff --git a/.circleci/requirements.txt b/.circleci/requirements.txt
@@ -9,9 +9,10 @@ redisvl==0.4.1
 anthropic
 orjson==3.10.12 # fast /embedding responses
 pydantic==2.10.2
+typing-extensions>=4.14.1  # required by pydantic-core
 google-cloud-aiplatform==1.43.0
 google-cloud-iam==2.19.1
-fastapi-sso==0.16.0 
+fastapi-sso==0.19.0  # updated to fix GHSA-hp6r-r9vc-q8wx
 uvloop==0.21.0
 mcp==1.10.1    # for MCP server  
 semantic_router==0.1.10 # for auto-routing with litellm

diff --git a/.gitguardian.yaml b/.gitguardian.yaml
@@ -0,0 +1,112 @@
+version: 2
+
+secret:
+  ignored_paths:
+    - "**/*.whl"
+    - "**/*.pyc"
+    - "**/__pycache__/**"
+    - "**/node_modules/**"
+    - "**/dist/**"
+    - "**/build/**"
+    - "**/.git/**"
+    - "**/venv/**"
+    - "**/.venv/**"
+
+    # Large data/metadata files that don't need scanning
+    - "**/model_prices_and_context_window*.json"
+    - "**/*_metadata/*.txt"
+    - "**/tokenizers/*.json"
+    - "**/tokenizers/*"
+    - "miniconda.sh"
+
+    # Build outputs and static assets
+    - "litellm/proxy/_experimental/out/**"
+    - "ui/litellm-dashboard/public/**"
+    - "**/swagger/*.js"
+    - "**/*.woff"
+    - "**/*.woff2"
+    - "**/*.avif"
+    - "**/*.webp"
+
+    # Test files and fixtures
+    - "**/tests/**/*.py"
+    - "**/test_*.py"
+    - "**/*_test.py"
+    - "**/*.test.tsx"
+    - "**/*.test.ts"
+    - "**/*.spec.tsx"
+    - "**/*.spec.ts"
+    - "**/tests/**/data_map.txt"
+    - "tests/**/*.txt"
+
+    # Example and documentation files
+    - "cookbook/**/*.ipynb"
+    - "litellm/proxy/_super_secret_config.yaml"
+    - "docs/**"
+    - "**/*.md"
+    - "**/*.lock"
+    - "poetry.lock"
+    - "package-lock.json"
+
+  # Ignore false positives by SHA256 hash or pattern
+  ignored_matches:
+    # Specific false positives (SHA256-based)
+    - name: GCS pub/sub test folder name
+      match: 75f377c456eede69e5f6e47399ccee6016a2a93cc5dd11db09cc5b1359ae569a
+
+    - name: Environment variable reference APORIA_API_KEY_1
+      match: e2ddeb8b88eca97a402559a2be2117764e11c074d86159ef9ad2375dea188094
+
+    - name: Environment variable reference APORIA_API_KEY_2
+      match: 09aa39a29e050b86603aa55138af1ff08fb86a4582aa965c1bd0672e1575e052
+
+    - name: OIDC CircleCI test path
+      match: feb3475e1f89a65b7b7815ac4ec597e18a9ec1847742ad445c36ca617b536e15
+
+    - name: OpenAI model identifier
+      match: c489000cf6c7600cee0eefb80ad0965f82921cfb47ece880930eb7e7635cf1f1
+
+    - name: Test Base64 Basic Auth header
+      match: 61bac0491f395040617df7ef6d06029eac4d92a4457ac784978db80d97be1ae0
+
+    - name: Test PostgreSQL password
+      match: 6e0d657eb1f0fbc40cf0b8f3c3873ef627cc9cb7c4108d1c07d979c04bc8a4bb
+
+    - name: Test Bearer token in load test
+      match: 2a0abc2b0c3c1760a51ffcdf8d6b1d384cef69af740504b1cfa82dd70cdc7ff9
+
+    - name: Inkeep API key in documentation
+      match: c366657791bfb5fc69045ec11d49452f09a0aebbc8648f94e2469b4025e29a75
+
+    - name: Langfuse test credentials
+      match: c39310f68cc3d3e22f7b298bb6353c4f45759adcc37080d8b7f4e535d3cfd7f4
+
+    - name: Test password in e2e fixtures
+      match: ce32b547202e209ec1dd50107b64be4cfcf2eb15c3b4f8e9dc611ef747af634f
+
+    # Test API key patterns
+    - name: Test API keys with sk-test prefix
+      match: sk-test-
+
+    - name: Mock API keys with sk-mock prefix
+      match: sk-mock-
+
+    - name: Fake API keys with sk-fake prefix
+      match: sk-fake-
+
+    - name: Generic test API key pattern
+      match: test-api-key
+
+    # Common test fixtures
+    - name: Test API key fixture 88dc28d0f03
+      match: 88dc28d0f030c55ed4ab77ed8faf098196cb1c05df778539800c9f1243fe6b4b
+
+    - name: Test API key fixture 40b7608ea43
+      match: 40b7608ea43423400d5b82bb5ee11042bfb2ed4655f05b5992b5abbc2f294931
+
+    - name: SHA256 empty string (test fixture)
+      match: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+
+    - name: Test JWT token pattern
+      match: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
+
diff --git a/ci_cd/security_scans.sh b/ci_cd/security_scans.sh
@@ -26,6 +26,56 @@ install_grype() {
     echo "Grype installed successfully"
 }
 
+# Function to install ggshield
+install_ggshield() {
+    echo "Installing ggshield..."
+    pip3 install --upgrade pip
+    pip3 install ggshield
+    echo "ggshield installed successfully"
+}
+
+# Function to run secret detection scans
+run_secret_detection() {
+    echo "Running secret detection scans..."
+
+    if ! command -v ggshield &> /dev/null; then
+        install_ggshield
+    fi
+
+    # Check if GITGUARDIAN_API_KEY is set (required for CI/CD)
+    if [ -z "$GITGUARDIAN_API_KEY" ]; then
+        echo "Warning: GITGUARDIAN_API_KEY environment variable is not set."
+        echo "ggshield requires a GitGuardian API key to scan for secrets."
+        echo "Please set GITGUARDIAN_API_KEY in your CI/CD environment variables."
+        exit 1
+    fi
+
+    echo "Scanning codebase for secrets..."
+    echo "Note: Large codebases may take several minutes due to API rate limits (50 requests/minute on free plan)"
+    echo "ggshield will automatically handle rate limits and retry as needed."
+    echo "Binary files, cache files, and build artifacts are excluded via .gitguardian.yaml"
+
+    # Use --recursive for directory scanning and auto-confirm if prompted
+    # .gitguardian.yaml will automatically exclude binary files, wheel files, etc.
+    # GITGUARDIAN_API_KEY environment variable will be used for authentication
+    echo y | ggshield secret scan path . --recursive || {
+        echo ""
+        echo "=========================================="
+        echo "ERROR: Secret Detection Failed"
+        echo "=========================================="
+        echo "ggshield has detected secrets in the codebase."
+        echo "Please review discovered secrets above, revoke any actively used secrets"
+        echo "from underlying systems and make changes to inject secrets dynamically at runtime."
+        echo ""
+        echo "For more information, see: https://docs.gitguardian.com/secrets-detection/"
+        echo "=========================================="
+        echo ""
+        exit 1
+    }
+
+    echo "Secret detection scans completed successfully"
+}
+
 # Function to run Trivy scans
 run_trivy_scans() {
     echo "Running Trivy scans..."
@@ -78,6 +128,7 @@ run_grype_scans() {
         "GHSA-5j98-mcp5-4vw2"
         "CVE-2025-13836" # Python 3.13 HTTP response reading OOM/DoS - no fix available in base image
         "CVE-2025-12084" # Python 3.13 xml.dom.minidom quadratic algorithm - no fix available in base image
+        "CVE-2025-60876" # BusyBox wget HTTP request splitting - no fix available in Chainguard Wolfi base image
     )
 
     # Build JSON array of allowlisted CVE IDs for jq
@@ -157,6 +208,10 @@ main() {
     echo "Installing security scanning tools..."
     install_trivy
     install_grype
+    install_ggshield
+
+    echo "Running secret detection scans..."
+    run_secret_detection
 
     echo "Running filesystem vulnerability scans..."
     run_trivy_scans

diff --git a/deploy/migrations/20260106081922_initial/README.md b/deploy/migrations/20260106081922_initial/README.md
@@ -0,0 +1 @@
+Initial migration generated at Tue Jan  6 08:19:28 UTC 2026
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Initial migration generated at Tue Jan 6 08:19:28 UTC 2026