More security fixes

Author: azvoleff

.bandit

@@ -0,0 +1,18 @@
+# Bandit configuration file
+[bandit]
+skips = []
+exclude_dirs = [
+    "security-venv",
+    ".git", 
+    "__pycache__",
+    "*.pyc",
+    ".pytest_cache"
+]
+
+[bandit.severity_levels]
+low = ["B201", "B301", "B302", "B303", "B304", "B305", "B306", "B307", "B308", "B309", "B310", "B311", "B312", "B313", "B314", "B315", "B316", "B317", "B318", "B319", "B320", "B321", "B322", "B323", "B324", "B325", "B601", "B602", "B603", "B604", "B605", "B606", "B607", "B608", "B609", "B610", "B611", "B701", "B702", "B703"]
+medium = ["B101", "B102", "B103", "B104", "B105", "B106", "B107", "B108", "B110", "B112", "B113", "B201", "B501", "B502", "B503", "B504", "B505", "B506", "B507", "B601", "B602", "B603", "B604", "B605", "B606", "B607", "B608", "B609", "B610", "B611"]
+high = ["B102", "B103", "B108", "B110", "B112", "B201", "B301", "B302", "B303", "B304", "B305", "B306", "B307", "B308", "B309", "B310", "B311", "B312", "B313", "B314", "B315", "B316", "B317", "B318", "B319", "B320", "B321", "B322", "B323", "B324", "B325", "B501", "B502", "B503", "B504", "B505", "B506", "B507", "B601", "B602", "B603", "B604", "B605", "B606", "B607", "B608", "B609", "B610", "B611", "B701", "B702", "B703"]
+
+[bandit.plugins]
+include = ["B101", "B102", "B103", "B104", "B105", "B106", "B107", "B108", "B110", "B112", "B113", "B201", "B301", "B302", "B303", "B304", "B305", "B306", "B307", "B308", "B309", "B310", "B311", "B312", "B313", "B314", "B315", "B316", "B317", "B318", "B319", "B320", "B321", "B322", "B323", "B324", "B325", "B501", "B502", "B503", "B504", "B505", "B506", "B507", "B601", "B602", "B603", "B604", "B605", "B606", "B607", "B608", "B609", "B610", "B611", "B701", "B702", "B703"]

.github/dependabot.yml

@@ -0,0 +1,76 @@
+version: 2
+updates:
+  # Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "azvoleff"
+    assignees:
+      - "azvoleff"
+    commit-message:
+      prefix: "security"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "security"
+    allow:
+      - dependency-type: "all"
+    # Group patch updates together
+    groups:
+      security-patches:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+      minor-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+    # Automatically merge security patches
+    auto-merge:
+      dependency-type: "all"
+      update-type: "security"
+
+  # GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 3
+    reviewers:
+      - "azvoleff"
+    assignees:
+      - "azvoleff"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "github-actions"
+
+  # Docker dependencies (if Dockerfile is present)
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 3
+    reviewers:
+      - "azvoleff"
+    assignees:
+      - "azvoleff"
+    commit-message:
+      prefix: "docker"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "docker"

.github/workflows/code-quality.yml

@@ -55,19 +55,46 @@ jobs:
       with:
         python-version: "3.11"
 
-    - name: Install bandit
+    - name: Install security tools
       run: |
         python -m pip install --upgrade pip
-        pip install bandit[toml]
+        pip install bandit[toml] safety
 
     - name: Run bandit security check
       run: |
         bandit -r gefcore/ -f json -o bandit-report.json || true
         bandit -r gefcore/
 
-    - name: Upload bandit report
+    - name: Run dependency vulnerability scan
+      run: |
+        safety scan -r requirements.txt --json --output vulnerability-report.json || true
+        safety scan -r requirements.txt
+
+    - name: Upload security reports
       uses: actions/upload-artifact@v3
       if: always()
       with:
-        name: bandit-security-report
-        path: bandit-report.json
+        name: security-reports
+        path: |
+          bandit-report.json
+          vulnerability-report.json
+
+  dependency-check:
+    runs-on: ubuntu-latest
+    
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'

.github/workflows/security.yml

@@ -0,0 +1,100 @@
+name: Security Scan
+
+on:
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: '0 2 * * *'
+  push:
+    branches: [ main, master, develop ]
+  pull_request:
+    branches: [ main, master, develop ]
+  workflow_dispatch: # Allow manual triggering
+
+jobs:
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.11"
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+        pip install safety bandit[toml]
+
+    - name: Run Safety dependency vulnerability scan
+      run: |
+        safety scan -r requirements.txt --json --output safety-report.json || true
+        safety scan -r requirements.txt --short-report
+
+    - name: Run Bandit code security scan
+      run: |
+        bandit -r gefcore/ -f json -o bandit-report.json || true
+        bandit -r gefcore/ --severity-level medium
+
+    - name: Run Trivy filesystem scan
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH,MEDIUM'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    - name: Upload security scan artifacts
+      uses: actions/upload-artifact@v3
+      if: always()
+      with:
+        name: security-scan-reports
+        path: |
+          safety-report.json
+          bandit-report.json
+          trivy-results.sarif
+        retention-days: 30
+
+    - name: Create security summary
+      if: always()
+      run: |
+        echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        
+        echo "### Safety (Dependency Vulnerabilities)" >> $GITHUB_STEP_SUMMARY
+        if [ -f safety-report.json ]; then
+          echo "✅ Safety scan completed - check artifacts for details" >> $GITHUB_STEP_SUMMARY
+        else
+          echo "❌ Safety scan failed" >> $GITHUB_STEP_SUMMARY
+        fi
+        echo "" >> $GITHUB_STEP_SUMMARY
+        
+        echo "### Bandit (Code Security)" >> $GITHUB_STEP_SUMMARY
+        if [ -f bandit-report.json ]; then
+          echo "✅ Bandit scan completed - check artifacts for details" >> $GITHUB_STEP_SUMMARY
+        else
+          echo "❌ Bandit scan failed" >> $GITHUB_STEP_SUMMARY
+        fi
+        echo "" >> $GITHUB_STEP_SUMMARY
+        
+        echo "### Trivy (Container/Filesystem Security)" >> $GITHUB_STEP_SUMMARY
+        if [ -f trivy-results.sarif ]; then
+          echo "✅ Trivy scan completed - results uploaded to Security tab" >> $GITHUB_STEP_SUMMARY
+        else
+          echo "❌ Trivy scan failed" >> $GITHUB_STEP_SUMMARY
+        fi

.gitignore

@@ -23,6 +23,7 @@ var/
 *.egg-info/
 .installed.cfg
 *.egg
+security-venv
 
 # PyInstaller
 #  Usually these files are written by a python script from a template

README.md

@@ -1,15 +1,45 @@
-# GEF Environment
+# trends.earth Environment
 
-This project belongs to the GEF Project.
+This project belongs to the trends.earth project by Conservation International.
 
-This repo implements the Core Platform of the GEF Environment.
+This repository implements the Core Platform of the trends.earth Environment for running Google Earth Engine scripts.
 
-Check out the other parts of the GEF project:
+Check out the other parts of the trends.earth project:
 
-- The API [GEF API](https://github.com/Vizzuality/GEF-API)
-- The Command Line Interface. It allows to create and test custom scripts locally. It also can be used to publish the scripts to the GEF Environment [GEF CLI](https://github.com/Vizzuality/GEF-CLI)
-- A web app to explore and manage the API entities [GEF UI](https://github.com/Vizzuality/GEF-UI)
+- The API [trends.earth API](https://github.com/ConservationInternational/trends.earth-API)
 
-## Getting started
+## Security
 
-In progress...
+### Security Tools
+
+Use the dependency manager script for security checks:
+
+```bash
+# Check for vulnerabilities
+python scripts/dependency_manager.py --check-vulns
+
+# Check for outdated packages
+python scripts/dependency_manager.py --check-outdated
+
+# Run comprehensive security audit
+python scripts/dependency_manager.py --audit
+
+# Run all security checks
+python scripts/dependency_manager.py --all
+```
+
+### Manual Security Scanning
+
+```bash
+# Install security tools
+pip install safety bandit[toml]
+
+# Check dependencies for vulnerabilities
+safety scan -r requirements.txt
+
+# Scan code for security issues
+bandit -r gefcore/
+
+# Container security scan (requires Docker)
+docker run --rm -v $(pwd):/workspace aquasec/trivy fs /workspace
+```