From 010b3336c1dd494c030123f6acb57f4bb77dd44d Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Mon, 12 Jan 2026 23:09:31 +0000 Subject: [PATCH 01/65] added gitleaks action for testing --- .github/workflows/gitleaks.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/gitleaks.yml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..e30fbb3 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,18 @@ +name: gitleaks +on: + pull_request: + push: + workflow_dispatch: + schedule: + - cron: "0 4 * * *" # run once a day at 4 AM +jobs: + scan: + name: gitleaks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 17fadebb1551bed1ae2c3e7604dae96e2d6029ac Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Mon, 12 Jan 2026 23:10:50 +0000 Subject: [PATCH 02/65] added GL license arg --- .github/workflows/gitleaks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index e30fbb3..f4a1cdc 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -15,4 +15,5 @@ jobs: fetch-depth: 0 - uses: gitleaks/gitleaks-action@v2 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file From b550864ef6b07f8eb9c08c50e2c3d145edd9dd6b Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Mon, 12 Jan 2026 23:22:03 +0000 Subject: [PATCH 03/65] added minimal ruff step --- .github/workflows/ruff.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/workflows/ruff.yml diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml new file mode 100644 index 0000000..dac6bac --- /dev/null +++ b/.github/workflows/ruff.yml @@ -0,0 +1,16 @@ +name: ruff +on: + push: + pull_request: + workflow_dispatch: + +jobs: + ruff: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: "3.11" + - run: pip install ruff + - run: ruff check . \ No newline at end of file From cdfd0936854dab6c443b1bab29d13dbee540b53f Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Mon, 12 Jan 2026 23:36:54 +0000 Subject: [PATCH 04/65] added bandit step --- .github/workflows/bandit.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/bandit.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 0000000..9629173 --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,17 @@ +name: Bandit + +on: + workflow_dispatch: + +jobs: + analyze: + runs-on: ubuntu-latest + permissions: + # Required for all workflows + security-events: write + # Only required for workflows in private repositories + actions: read + contents: read + steps: + - name: Perform Bandit Analysis + uses: PyCQA/bandit-action@v1 \ No newline at end of file From 5201922a7524d73abced614d10e22d68c75a0e39 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Mon, 12 Jan 2026 23:41:40 +0000 Subject: [PATCH 05/65] yml fmt --- .github/workflows/bandit.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 9629173..d40b8dd 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -1,7 +1,8 @@ name: Bandit - on: workflow_dispatch: + push: + pull_request: jobs: analyze: From fa87c8dc5fddaab4a0aac30760752f9df1b6714a Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 21:07:32 +0000 Subject: [PATCH 06/65] added fake secret to test gitleaks --- docker/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/README.md b/docker/README.md index e6cfc2f..3a7f9d1 100644 --- a/docker/README.md +++ b/docker/README.md @@ -26,3 +26,5 @@ to move packages listed in `Dockerfile` into `requirements.txt`. At the end of compiling solve any incompatibility output from `pip check` by adding the version in `constraints-odc.txt`. + +test_token_secret = 'dfasdfq5q3245q3tqgasdg' \ No newline at end of file From dc30e2592d3f159e4a7bd62904ee7473dcaa9410 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 21:09:51 +0000 Subject: [PATCH 07/65] added fake secret to test gitleaks --- docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.md b/docker/README.md index 3a7f9d1..5999eea 100644 --- a/docker/README.md +++ b/docker/README.md @@ -27,4 +27,4 @@ to move packages listed in `Dockerfile` into `requirements.txt`. At the end of compiling solve any incompatibility output from `pip check` by adding the version in `constraints-odc.txt`. -test_token_secret = 'dfasdfq5q3245q3tqgasdg' \ No newline at end of file +discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' \ No newline at end of file From ff166501b5da584bd5cac71eea6d6a1f6b2ee86a Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 21:13:36 +0000 Subject: [PATCH 08/65] introduced more issues for testing --- docker/README.md | 4 +--- nci_environment/build_environment_module.py | 1 + 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docker/README.md b/docker/README.md index 5999eea..f1229bd 100644 --- a/docker/README.md +++ b/docker/README.md @@ -25,6 +25,4 @@ When time comes to make a bigger change or update some binary packages, remember to move packages listed in `Dockerfile` into `requirements.txt`. At the end of compiling solve any incompatibility output from `pip check` by adding the version -in `constraints-odc.txt`. - -discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' \ No newline at end of file +in `constraints-odc.txt`. \ No newline at end of file diff --git a/nci_environment/build_environment_module.py b/nci_environment/build_environment_module.py index 98750fe..19c7481 100755 --- a/nci_environment/build_environment_module.py +++ b/nci_environment/build_environment_module.py @@ -44,6 +44,7 @@ import yaml +discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' MODULE_DIR = "/g/data/v10/public/modules" LOG_NAME = "build_dea_module.log" From f6890348a8f74d5367462117e277e9d387fb2132 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 21:16:40 +0000 Subject: [PATCH 09/65] testing ruff --- nci_environment/build_environment_module.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nci_environment/build_environment_module.py b/nci_environment/build_environment_module.py index 19c7481..7923a10 100755 --- a/nci_environment/build_environment_module.py +++ b/nci_environment/build_environment_module.py @@ -44,7 +44,7 @@ import yaml -discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' + MODULE_DIR = "/g/data/v10/public/modules" LOG_NAME = "build_dea_module.log" @@ -68,6 +68,7 @@ def pre_check(config): :param config: Configuration parameters :return: None """ + discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' LOG.info("Performing pre-check before installing module") if "PYTHONPATH" in os.environ: raise Exception( From e49b75f0fbf1b35a86e2305a012b86305097ec69 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 21:22:24 +0000 Subject: [PATCH 10/65] ruff output format --- .github/workflows/ruff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index dac6bac..7b7efc7 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -13,4 +13,4 @@ jobs: with: python-version: "3.11" - run: pip install ruff - - run: ruff check . \ No newline at end of file + - run: ruff check --output-format=github . \ No newline at end of file From 1fed60ebcd9e277d75ae14a1dca176fdb770aeb0 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 21:31:07 +0000 Subject: [PATCH 11/65] added fake aws token --- nci_environment/build_environment_module.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nci_environment/build_environment_module.py b/nci_environment/build_environment_module.py index 7923a10..f4cbfc0 100755 --- a/nci_environment/build_environment_module.py +++ b/nci_environment/build_environment_module.py @@ -90,6 +90,7 @@ def prep(config_path): :param config_path: Configuration Path :return: None """ + fake_aws_secret = 'AKIAI234567890123456' LOG.info("Preparing environment variables") # Write files as group and world readable os.umask(0o22) From 619e4087304c72cf6c60af68ff8ed9f229656826 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 21:57:57 +0000 Subject: [PATCH 12/65] switched gitleaks to full scan mode. Will continue to flag detected secrets --- .github/workflows/gitleaks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index f4a1cdc..802da17 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -16,4 +16,5 @@ jobs: - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + GITLEAKS_SCAN_MODE: full \ No newline at end of file From 7be947a7fac76eb9d2e28646394fc711e1b542e5 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 22:05:40 +0000 Subject: [PATCH 13/65] troubleshooting gitleaks issue --- .github/workflows/gitleaks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 802da17..f88647e 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -17,4 +17,5 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - GITLEAKS_SCAN_MODE: full \ No newline at end of file + GITLEAKS_SCAN_MODE: full + GITLEAKS_ARGS: "--verbose" \ No newline at end of file From e1afe20f0523fdf1c3714b8282cae5ab3a9bda37 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 22:08:50 +0000 Subject: [PATCH 14/65] added permissions to gitleaks step --- .github/workflows/gitleaks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index f88647e..c13ea7e 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -9,6 +9,10 @@ jobs: scan: name: gitleaks runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read steps: - uses: actions/checkout@v4 with: From 4eb79c830711eb19a69cf260d74bd94187a34922 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 22:16:04 +0000 Subject: [PATCH 15/65] testing gitleaks with proper permissions --- .github/workflows/gitleaks.yml | 5 +---- nci_environment/build_environment_module.py | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index c13ea7e..6adf86c 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -3,8 +3,6 @@ on: pull_request: push: workflow_dispatch: - schedule: - - cron: "0 4 * * *" # run once a day at 4 AM jobs: scan: name: gitleaks @@ -21,5 +19,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - GITLEAKS_SCAN_MODE: full - GITLEAKS_ARGS: "--verbose" \ No newline at end of file + GITLEAKS_NOTIFY_USER_LIST: "@GA-XavierGonzalez" \ No newline at end of file diff --git a/nci_environment/build_environment_module.py b/nci_environment/build_environment_module.py index f4cbfc0..b677f44 100755 --- a/nci_environment/build_environment_module.py +++ b/nci_environment/build_environment_module.py @@ -68,7 +68,6 @@ def pre_check(config): :param config: Configuration parameters :return: None """ - discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' LOG.info("Performing pre-check before installing module") if "PYTHONPATH" in os.environ: raise Exception( @@ -90,6 +89,7 @@ def prep(config_path): :param config_path: Configuration Path :return: None """ + discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' fake_aws_secret = 'AKIAI234567890123456' LOG.info("Preparing environment variables") # Write files as group and world readable From b663f90bb05e6475c1fc3c30c0b9001fa42ecc4a Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Tue, 13 Jan 2026 22:18:57 +0000 Subject: [PATCH 16/65] yml fmt --- .github/workflows/gitleaks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 6adf86c..7c7133e 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -8,9 +8,9 @@ jobs: name: gitleaks runs-on: ubuntu-latest permissions: - security-events: write - actions: read - contents: read + security-events: write + actions: read + contents: read steps: - uses: actions/checkout@v4 with: From 4b33d2b9b5691f41603896a984941717d7d46395 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Wed, 14 Jan 2026 06:57:48 +0000 Subject: [PATCH 17/65] added workflow dispatch to trivy, modified gitleaks --- .github/workflows/gitleaks.yml | 3 +-- .github/workflows/vuln-scanner.yml | 4 +++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 7c7133e..0524edd 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -18,5 +18,4 @@ jobs: - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - GITLEAKS_NOTIFY_USER_LIST: "@GA-XavierGonzalez" \ No newline at end of file + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} \ No newline at end of file diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 12bb205..13fd033 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -3,6 +3,7 @@ name: Vulnerability Scan on: schedule: - cron: 07 7 * * * + workflow_dispatch: jobs: vuln-scan: @@ -21,4 +22,5 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + sarif_file: 'trivy-results.sarif' + \ No newline at end of file From fd4f0a22fb765e9a1e021166d31659156f2bbc72 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Wed, 14 Jan 2026 06:58:48 +0000 Subject: [PATCH 18/65] removed test secrets --- nci_environment/build_environment_module.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/nci_environment/build_environment_module.py b/nci_environment/build_environment_module.py index b677f44..6304d57 100755 --- a/nci_environment/build_environment_module.py +++ b/nci_environment/build_environment_module.py @@ -89,8 +89,6 @@ def prep(config_path): :param config_path: Configuration Path :return: None """ - discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' - fake_aws_secret = 'AKIAI234567890123456' LOG.info("Preparing environment variables") # Write files as group and world readable os.umask(0o22) From 2435cc15973cd38c59b0be58e5f35b22561f29c6 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Wed, 14 Jan 2026 07:27:13 +0000 Subject: [PATCH 19/65] added push and pr invocations for vuln scanner --- .github/workflows/vuln-scanner.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 13fd033..8cf0b14 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -1,9 +1,11 @@ name: Vulnerability Scan on: + push: + workflow_dispatch: + pull_request: schedule: - cron: 07 7 * * * - workflow_dispatch: jobs: vuln-scan: From 7204081b86541fd93c2837dbb82049ddf86baedf Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Wed, 14 Jan 2026 07:40:37 +0000 Subject: [PATCH 20/65] updated trivy action --- .github/workflows/vuln-scanner.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 8cf0b14..58ededb 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -12,17 +12,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Run vulnerability scanner - uses: aquasecurity/trivy-action@0.0.8 + uses: aquasecurity/trivy-action@0.33.1 continue-on-error: true with: - image-ref: "geoscienceaustralia/sandbox:latest" - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: 'trivy-results.sarif' - \ No newline at end of file + image-ref: 'geoscienceaustralia/sandbox:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file From 5487385032ed1b1fd4a9dad0655bdc89e59bb4ad Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Wed, 14 Jan 2026 07:41:24 +0000 Subject: [PATCH 21/65] removed cron from scanner job --- .github/workflows/vuln-scanner.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 58ededb..2b8cd72 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -4,8 +4,6 @@ on: push: workflow_dispatch: pull_request: - schedule: - - cron: 07 7 * * * jobs: vuln-scan: From 650faecf05ef573c1a684e089771982a48b16773 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Wed, 14 Jan 2026 07:45:57 +0000 Subject: [PATCH 22/65] added action permissions to scanner --- .github/workflows/vuln-scanner.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 2b8cd72..313fceb 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -5,6 +5,10 @@ on: workflow_dispatch: pull_request: +permissions: + actions: read + security-events: write + jobs: vuln-scan: runs-on: ubuntu-latest From fcf4d9ff64e54fcdc5b505bfadddda14ce77ffab Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Wed, 14 Jan 2026 07:48:02 +0000 Subject: [PATCH 23/65] removed push invocation from linters --- .github/workflows/gitleaks.yml | 1 - .github/workflows/ruff.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 0524edd..ade26d7 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -1,7 +1,6 @@ name: gitleaks on: pull_request: - push: workflow_dispatch: jobs: scan: diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index 7b7efc7..63ecee0 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -1,6 +1,5 @@ name: ruff on: - push: pull_request: workflow_dispatch: From b57f5f9428dcb5855fe436720d5305859a2b6277 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 00:16:01 +0000 Subject: [PATCH 24/65] testing dev environment --- .github/workflows/ruff.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index 63ecee0..e8bb360 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -5,6 +5,7 @@ on: jobs: ruff: + environment: dev runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 7eda19f59c50fedf9f1b981629b105b8604cdba9 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 00:18:45 +0000 Subject: [PATCH 25/65] added push invocation to ruff --- .github/workflows/ruff.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index e8bb360..0a6da65 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -2,6 +2,7 @@ name: ruff on: pull_request: workflow_dispatch: + push: jobs: ruff: From 5a69ec411e623afbfb213864f1a5bf2052a68bb1 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 03:51:35 +0000 Subject: [PATCH 26/65] added reference to ECR for image --- .github/workflows/vuln-scanner.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 313fceb..8d4b1c3 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -13,11 +13,17 @@ jobs: vuln-scan: runs-on: ubuntu-latest steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::538673716275:role/github-actions-role + aws-region: ap-southeast-2 - name: Run vulnerability scanner uses: aquasecurity/trivy-action@0.33.1 continue-on-error: true with: - image-ref: 'geoscienceaustralia/sandbox:latest' + #TODO: Variable out below. Probably run this step after build and pass it in" + image-ref: '538673716275.dkr.ecr.ap-southeast-2.amazonaws.com/geoscienceaustralia/sandbox:latest' format: 'table' exit-code: '1' ignore-unfixed: true From 381f9521e278a1578d36c3c6a379874d69ce7164 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 03:53:55 +0000 Subject: [PATCH 27/65] removed ruff from dev env, reinstated push invoke to gitleaks --- .github/workflows/gitleaks.yml | 1 + .github/workflows/ruff.yml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index ade26d7..0524edd 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -1,6 +1,7 @@ name: gitleaks on: pull_request: + push: workflow_dispatch: jobs: scan: diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index 0a6da65..d7fccbd 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -6,7 +6,6 @@ on: jobs: ruff: - environment: dev runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From d2b453a9013a78eb858083f2c9e29ed3bae87411 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 03:59:35 +0000 Subject: [PATCH 28/65] updated aws cred action version --- .github/workflows/vuln-scanner.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 8d4b1c3..7a87010 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -14,10 +14,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5.1.1 with: role-to-assume: arn:aws:iam::538673716275:role/github-actions-role aws-region: ap-southeast-2 + - name: Run vulnerability scanner uses: aquasecurity/trivy-action@0.33.1 continue-on-error: true From 7f698f40648d6561b3be2ae1622726d4e4cf9025 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 04:00:14 +0000 Subject: [PATCH 29/65] removed push invocation from linters --- .github/workflows/bandit.yml | 1 - .github/workflows/gitleaks.yml | 1 - .github/workflows/ruff.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index d40b8dd..5b87316 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -1,7 +1,6 @@ name: Bandit on: workflow_dispatch: - push: pull_request: jobs: diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 0524edd..ade26d7 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -1,7 +1,6 @@ name: gitleaks on: pull_request: - push: workflow_dispatch: jobs: scan: diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index d7fccbd..63ecee0 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -2,7 +2,6 @@ name: ruff on: pull_request: workflow_dispatch: - push: jobs: ruff: From d73834a5f3f53b4bfe8c3c1b2da17d904dd3cadd Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 04:01:59 +0000 Subject: [PATCH 30/65] added ID permissions to vuln scanner --- .github/workflows/vuln-scanner.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 7a87010..4c6a180 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -8,6 +8,8 @@ on: permissions: actions: read security-events: write + id_token: write + contents: read jobs: vuln-scan: From c2c488d03689e7fc562750527d0ff79b3e53da4a Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 04:03:20 +0000 Subject: [PATCH 31/65] format --- .github/workflows/vuln-scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index 4c6a180..a038c26 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -8,7 +8,7 @@ on: permissions: actions: read security-events: write - id_token: write + id-token: write contents: read jobs: From 59ad8520badd0ba59fc2ff1f6d1d17b07f25859a Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 21:08:44 +0000 Subject: [PATCH 32/65] reverted changes to vuln scan and sandbox push --- .github/workflows/vuln-scanner.yml | 36 +++++++++++------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml index a038c26..12bb205 100644 --- a/.github/workflows/vuln-scanner.yml +++ b/.github/workflows/vuln-scanner.yml @@ -1,34 +1,24 @@ name: Vulnerability Scan on: - push: - workflow_dispatch: - pull_request: - -permissions: - actions: read - security-events: write - id-token: write - contents: read + schedule: + - cron: 07 7 * * * jobs: vuln-scan: runs-on: ubuntu-latest steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v5.1.1 - with: - role-to-assume: arn:aws:iam::538673716275:role/github-actions-role - aws-region: ap-southeast-2 - - name: Run vulnerability scanner - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.0.8 continue-on-error: true with: - #TODO: Variable out below. Probably run this step after build and pass it in" - image-ref: '538673716275.dkr.ecr.ap-southeast-2.amazonaws.com/geoscienceaustralia/sandbox:latest' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' \ No newline at end of file + image-ref: "geoscienceaustralia/sandbox:latest" + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file From 68bd8fa7a290f8bcca987aa793dec771980e6da5 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 22:04:56 +0000 Subject: [PATCH 33/65] testing trivy on locally built image --- .../workflows/{dive.yml => scan-image.yml} | 51 +++++++++++-------- 1 file changed, 30 insertions(+), 21 deletions(-) rename .github/workflows/{dive.yml => scan-image.yml} (80%) diff --git a/.github/workflows/dive.yml b/.github/workflows/scan-image.yml similarity index 80% rename from .github/workflows/dive.yml rename to .github/workflows/scan-image.yml index 8a7b74e..8714393 100644 --- a/.github/workflows/dive.yml +++ b/.github/workflows/scan-image.yml @@ -2,17 +2,17 @@ name: docker checker on: - pull_request: - branches: - - develop - paths: - - '.github/workflows/dive.yml' - - 'docker/**' +# pull_request: +# branches: +# - develop +# paths: +# - '.github/workflows/dive.yml' +# - 'docker/**' push: - paths: - - '.github/workflows/dive.yml' - - 'docker/**' +# paths: +# - '.github/workflows/dive.yml' +# - 'docker/**' env: ORG: dea @@ -82,16 +82,25 @@ jobs: sudo apt-get autoclean -y >/dev/null 2>&1 || true sudo rm -rf ${GITHUB_WORKSPACE}/.git - - name: Dive - run: | - docker pull ${DIVE} - docker run -e CI=true -e DOCKER_API_VERSION=${DOCKER_API} --rm -v /var/run/docker.sock:/var/run/docker.sock \ - --mount type=bind,source=${{ github.workspace }}/dive-ci.yml,target=/.dive-ci \ - ${DIVE} --ci-config /.dive-ci ${ORG}/${IMAGE}:_build - - - name: Docker image size check - uses: wemake-services/docker-image-size-limit@2.0.0 - continue-on-error: true + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.33.1 with: - image: ${{ env.ORG }}/${{ env.IMAGE}}:_build - size: "8 GiB" + image-ref: '${{ env.ORG }}/${{ env.IMAGE }}:_build' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' +# - name: Dive +# run: | +# docker pull ${DIVE} +# docker run -e CI=true -e DOCKER_API_VERSION=${DOCKER_API} --rm -v /var/run/docker.sock:/var/run/docker.sock \ +# --mount type=bind,source=${{ github.workspace }}/dive-ci.yml,target=/.dive-ci \ +# ${DIVE} --ci-config /.dive-ci ${ORG}/${IMAGE}:_build + +# - name: Docker image size check +# uses: wemake-services/docker-image-size-limit@2.0.0 +# continue-on-error: true +# with: +# image: ${{ env.ORG }}/${{ env.IMAGE}}:_build +# size: "8 GiB" From 88680f20dc53bdf3fd62145a46d76972b309dd35 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 22:07:07 +0000 Subject: [PATCH 34/65] clear disk space AFTER trivy --- .github/workflows/scan-image.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 8714393..5aaf06c 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -39,6 +39,16 @@ jobs: run: | docker build -t ${ORG}/${IMAGE}:_build ./docker/ + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.33.1 + with: + image-ref: '${{ env.ORG }}/${{ env.IMAGE }}:_build' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Free disk space run: | sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc /usr/local/share/boost "$AGENT_TOOLSDIRECTORY" || true @@ -81,16 +91,6 @@ jobs: sudo apt-get autoremove -y >/dev/null 2>&1 || true sudo apt-get autoclean -y >/dev/null 2>&1 || true sudo rm -rf ${GITHUB_WORKSPACE}/.git - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.33.1 - with: - image-ref: '${{ env.ORG }}/${{ env.IMAGE }}:_build' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' # - name: Dive # run: | # docker pull ${DIVE} From d922ff37ea8c25ff7c59de36b8f1232c4ad0484f Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 22:43:53 +0000 Subject: [PATCH 35/65] added disk clear step. Added readme notes --- .github/workflows/scan-image.yml | 7 ++++++- README.md | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 5aaf06c..8cd96d6 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -1,5 +1,5 @@ --- -name: docker checker +name: lint and scan docker on: # pull_request: @@ -35,6 +35,11 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Free disk space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + tool-cache: true + - name: Build image run: | docker build -t ${ORG}/${IMAGE}:_build ./docker/ diff --git a/README.md b/README.md index 17e70c8..38f62ec 100644 --- a/README.md +++ b/README.md @@ -106,3 +106,23 @@ the `docker-compose.override.yml` file, which provides a postgres container. Any files in the `./notebooks` folder will be mounted in the user's home folder. That is to say that `./notebooks` will be mounted at `/home/jovyan`/ + +## CI and Security +- Vulnerability scan on image build + - Trivy runs on push if there was any change to docker + - Critical vulnerabilities will block merge + - Fix it or reach out to DaS +- Leaks on Commit + - GitLeaks license in repo secrets + - GitLeaks will alert you if your commit diff contains secrets + - Secrets in commit will block merge +- Static Leak Alerts + - GitHub native secret scanning enabled +- Python security suggestions + - Bandit running on pull request + - These alerts can be found in the Code Scanning tab + - Please have a look and consider any suggestions made +- Linting + - Python Lint + - Ruff runs on push + - Docker Lint \ No newline at end of file From 16e541ea7a6805fc50bc6c587cfc2fd43534a428 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 23:27:54 +0000 Subject: [PATCH 36/65] specified vuln scan to speed up trivy, increased timeout to 15m --- .github/workflows/scan-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 8cd96d6..cb7f958 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -53,6 +53,7 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + scanners: 'vuln' - name: Free disk space run: | From 527d5d7057b2c2948be0fdca5d82057e6264fb88 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 23:28:10 +0000 Subject: [PATCH 37/65] specified vuln scan to speed up trivy, increased timeout to 15m --- .github/workflows/scan-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index cb7f958..cd71a60 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -54,6 +54,7 @@ jobs: vuln-type: 'os,library' severity: 'CRITICAL,HIGH' scanners: 'vuln' + timeout: '15m0s' - name: Free disk space run: | From b81b68ac1b03cb21a029e3b2332b060786aaa09c Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Thu, 15 Jan 2026 23:49:30 +0000 Subject: [PATCH 38/65] github output format for trivy --- .github/workflows/scan-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index cd71a60..3b61b2a 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -48,7 +48,7 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: image-ref: '${{ env.ORG }}/${{ env.IMAGE }}:_build' - format: 'table' + format: 'github' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' From c91c954c06437ff930748302cee215f280cfabc9 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 00:12:51 +0000 Subject: [PATCH 39/65] sarif output with upload permissions for trivy --- .github/workflows/scan-image.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 3b61b2a..d3b949c 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -23,7 +23,10 @@ env: jobs: dive: runs-on: ubuntu-latest - name: Analyze image efficiency + name: Build and Scan image + permissions: + contents: read + security-events: write steps: - name: Checkout uses: actions/checkout@v3 @@ -48,13 +51,19 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: image-ref: '${{ env.ORG }}/${{ env.IMAGE }}:_build' - format: 'github' + format: 'sarif' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' scanners: 'vuln' timeout: '15m0s' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'trivy-results.sarif' - name: Free disk space run: | From a8880cfe8a05e95c992ed7b6871162e6a3fa1319 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 00:20:36 +0000 Subject: [PATCH 40/65] removed unneeded permissions block --- .github/workflows/scan-image.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index d3b949c..c8e4e81 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -24,9 +24,6 @@ jobs: dive: runs-on: ubuntu-latest name: Build and Scan image - permissions: - contents: read - security-events: write steps: - name: Checkout uses: actions/checkout@v3 From dba2eab2db204a3df1f57700227a293788d5dbea Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 00:46:16 +0000 Subject: [PATCH 41/65] trivy continue on error --- .github/workflows/scan-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index c8e4e81..e3e1542 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -46,6 +46,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.33.1 + continue-on-error: true with: image-ref: '${{ env.ORG }}/${{ env.IMAGE }}:_build' format: 'sarif' From 47c6df03d65e88b4da444590e483940d93e9ac17 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 01:07:59 +0000 Subject: [PATCH 42/65] trivy set to critical only. python linters combined --- .../workflows/{ruff.yml => python-lint.yml} | 11 ++++- .github/workflows/scan-image.yml | 45 ++++++++++--------- .github/workflows/vuln-scanner.yml | 24 ---------- 3 files changed, 32 insertions(+), 48 deletions(-) rename .github/workflows/{ruff.yml => python-lint.yml} (52%) delete mode 100644 .github/workflows/vuln-scanner.yml diff --git a/.github/workflows/ruff.yml b/.github/workflows/python-lint.yml similarity index 52% rename from .github/workflows/ruff.yml rename to .github/workflows/python-lint.yml index 63ecee0..613e814 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/python-lint.yml @@ -1,4 +1,4 @@ -name: ruff +name: python lint on: pull_request: workflow_dispatch: @@ -12,4 +12,11 @@ jobs: with: python-version: "3.11" - run: pip install ruff - - run: ruff check --output-format=github . \ No newline at end of file + - run: ruff check --output-format=github . + + bandit: + runs-on: ubuntu-latest + steps: + - name: Perform Bandit Analysis + uses: PyCQA/bandit-action@v1 + \ No newline at end of file diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index e3e1542..d7613bb 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -2,17 +2,17 @@ name: lint and scan docker on: -# pull_request: -# branches: -# - develop -# paths: -# - '.github/workflows/dive.yml' -# - 'docker/**' + pull_request: + branches: + - develop + paths: + - '.github/workflows/dive.yml' + - 'docker/**' push: -# paths: -# - '.github/workflows/dive.yml' -# - 'docker/**' + paths: + - '.github/workflows/dive.yml' + - 'docker/**' env: ORG: dea @@ -53,7 +53,7 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: 'CRITICAL' scanners: 'vuln' timeout: '15m0s' output: 'trivy-results.sarif' @@ -105,16 +105,17 @@ jobs: sudo apt-get autoremove -y >/dev/null 2>&1 || true sudo apt-get autoclean -y >/dev/null 2>&1 || true sudo rm -rf ${GITHUB_WORKSPACE}/.git -# - name: Dive -# run: | -# docker pull ${DIVE} -# docker run -e CI=true -e DOCKER_API_VERSION=${DOCKER_API} --rm -v /var/run/docker.sock:/var/run/docker.sock \ -# --mount type=bind,source=${{ github.workspace }}/dive-ci.yml,target=/.dive-ci \ -# ${DIVE} --ci-config /.dive-ci ${ORG}/${IMAGE}:_build -# - name: Docker image size check -# uses: wemake-services/docker-image-size-limit@2.0.0 -# continue-on-error: true -# with: -# image: ${{ env.ORG }}/${{ env.IMAGE}}:_build -# size: "8 GiB" + - name: Dive + run: | + docker pull ${DIVE} + docker run -e CI=true -e DOCKER_API_VERSION=${DOCKER_API} --rm -v /var/run/docker.sock:/var/run/docker.sock \ + --mount type=bind,source=${{ github.workspace }}/dive-ci.yml,target=/.dive-ci \ + ${DIVE} --ci-config /.dive-ci ${ORG}/${IMAGE}:_build + + - name: Docker image size check + uses: wemake-services/docker-image-size-limit@2.0.0 + continue-on-error: true + with: + image: ${{ env.ORG }}/${{ env.IMAGE}}:_build + size: "8 GiB" diff --git a/.github/workflows/vuln-scanner.yml b/.github/workflows/vuln-scanner.yml deleted file mode 100644 index 12bb205..0000000 --- a/.github/workflows/vuln-scanner.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Vulnerability Scan - -on: - schedule: - - cron: 07 7 * * * - -jobs: - vuln-scan: - runs-on: ubuntu-latest - steps: - - name: Run vulnerability scanner - uses: aquasecurity/trivy-action@0.0.8 - continue-on-error: true - with: - image-ref: "geoscienceaustralia/sandbox:latest" - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file From f512bb652af451c6730d111780c9ee805b802e19 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 01:10:19 +0000 Subject: [PATCH 43/65] yml fmt, removed unneeded permission scoping from gitleaks action --- .github/workflows/gitleaks.yml | 4 ---- .github/workflows/python-lint.yml | 10 +++++----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index ade26d7..72d7bf9 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -6,10 +6,6 @@ jobs: scan: name: gitleaks runs-on: ubuntu-latest - permissions: - security-events: write - actions: read - contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 613e814..7d4b5d8 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -14,9 +14,9 @@ jobs: - run: pip install ruff - run: ruff check --output-format=github . - bandit: - runs-on: ubuntu-latest - steps: - - name: Perform Bandit Analysis - uses: PyCQA/bandit-action@v1 + bandit: + runs-on: ubuntu-latest + steps: + - name: Perform Bandit Analysis + uses: PyCQA/bandit-action@v1 \ No newline at end of file From 7bafb784933938b800f7822459ed17289affe5b8 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 01:13:09 +0000 Subject: [PATCH 44/65] added push invocation to python linters --- .github/workflows/python-lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 7d4b5d8..db81d30 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -2,6 +2,7 @@ name: python lint on: pull_request: workflow_dispatch: + push: jobs: ruff: From 7051ec7a750e03327919b5d5c7b43d6db0ade37c Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 01:13:17 +0000 Subject: [PATCH 45/65] typo --- .github/workflows/python-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index db81d30..192ba14 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -1,4 +1,4 @@ -name: python lint +name: Python Lint on: pull_request: workflow_dispatch: From c4d0ec86fa914c3c5173dd06168ec67d273b918a Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 01:15:00 +0000 Subject: [PATCH 46/65] readded push invocations --- .github/workflows/bandit.yml | 17 ----------------- .github/workflows/scan-image.yml | 18 +++++++++--------- 2 files changed, 9 insertions(+), 26 deletions(-) delete mode 100644 .github/workflows/bandit.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml deleted file mode 100644 index 5b87316..0000000 --- a/.github/workflows/bandit.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Bandit -on: - workflow_dispatch: - pull_request: - -jobs: - analyze: - runs-on: ubuntu-latest - permissions: - # Required for all workflows - security-events: write - # Only required for workflows in private repositories - actions: read - contents: read - steps: - - name: Perform Bandit Analysis - uses: PyCQA/bandit-action@v1 \ No newline at end of file diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index d7613bb..04f91e1 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -2,17 +2,17 @@ name: lint and scan docker on: - pull_request: - branches: - - develop - paths: - - '.github/workflows/dive.yml' - - 'docker/**' +# pull_request: +# branches: +# - develop +# paths: +# - '.github/workflows/dive.yml' +# - 'docker/**' push: - paths: - - '.github/workflows/dive.yml' - - 'docker/**' +# paths: +# - '.github/workflows/dive.yml' +# - 'docker/**' env: ORG: dea From 15780e72efbd3f502ad97dbfb4dca7cce93c5b95 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 01:38:47 +0000 Subject: [PATCH 47/65] some formatting, added high cves back into trivy for testing --- .github/workflows/gitleaks.yml | 2 ++ .github/workflows/python-lint.yml | 2 ++ .github/workflows/scan-image.yml | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 72d7bf9..995ec63 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -2,6 +2,8 @@ name: gitleaks on: pull_request: workflow_dispatch: + push: + jobs: scan: name: gitleaks diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 192ba14..6e52f9a 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -3,6 +3,8 @@ on: pull_request: workflow_dispatch: push: + paths: + - '**.py' jobs: ruff: diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 04f91e1..9d1035d 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -1,5 +1,5 @@ --- -name: lint and scan docker +name: scan docker image on: # pull_request: @@ -53,7 +53,7 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL' + severity: 'CRITICAL, HIGH' scanners: 'vuln' timeout: '15m0s' output: 'trivy-results.sarif' From 46db3f86b0115b96658c740572a44216e13f5f38 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 01:57:39 +0000 Subject: [PATCH 48/65] added test bad code --- secret_leak_test.py | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 secret_leak_test.py diff --git a/secret_leak_test.py b/secret_leak_test.py new file mode 100644 index 0000000..fff7a95 --- /dev/null +++ b/secret_leak_test.py @@ -0,0 +1,11 @@ +def leak_secrets(): + fake_discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' + fake_aws_secret = 'AKIAI234567890123456' + return fake_aws_secret, fake_discord_client_secret + +def main() + print(leak_secrets) + return + +if __name__ == '__main__': + main() \ No newline at end of file From bf14be6657815a8b64dc5601c0a43f7c2f106133 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 02:34:53 +0000 Subject: [PATCH 49/65] testing github builting scanning --- secret_leak_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secret_leak_test.py b/secret_leak_test.py index fff7a95..611b3e2 100644 --- a/secret_leak_test.py +++ b/secret_leak_test.py @@ -1,6 +1,6 @@ def leak_secrets(): - fake_discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' - fake_aws_secret = 'AKIAI234567890123456' + test_discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' + test_aws_secret = 'AKIAI234567890123456' return fake_aws_secret, fake_discord_client_secret def main() From 5cf8c77f2211554f9148773676f1002b295b3d9b Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 02:35:58 +0000 Subject: [PATCH 50/65] enabled all trivy alerts --- .github/workflows/scan-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 9d1035d..6e4ae56 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -53,7 +53,7 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL, HIGH' + severity: 'CRITICAL, HIGH, MEDIUM, LOW' scanners: 'vuln' timeout: '15m0s' output: 'trivy-results.sarif' From 6589aeea74904b80a79d4d08f9795b8c638b3630 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 02:41:30 +0000 Subject: [PATCH 51/65] testing github builting scanning --- secret_leak_test.py => github_secret_scanner_test.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename secret_leak_test.py => github_secret_scanner_test.py (100%) diff --git a/secret_leak_test.py b/github_secret_scanner_test.py similarity index 100% rename from secret_leak_test.py rename to github_secret_scanner_test.py From 0ddf4d3f360b2085d095d80a00e5070ef261d478 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 02:50:05 +0000 Subject: [PATCH 52/65] testing github builting scanning --- .github/workflows/scan-image.yml | 19 +++++++++---------- github_secret_scanner_test.py | 3 ++- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 6e4ae56..b77015f 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -2,17 +2,16 @@ name: scan docker image on: -# pull_request: -# branches: -# - develop -# paths: -# - '.github/workflows/dive.yml' -# - 'docker/**' - + pull_request: + branches: + - develop + paths: + - '.github/workflows/dive.yml' + - 'docker/**' push: -# paths: -# - '.github/workflows/dive.yml' -# - 'docker/**' + paths: + - '.github/workflows/dive.yml' + - 'docker/**' env: ORG: dea diff --git a/github_secret_scanner_test.py b/github_secret_scanner_test.py index 611b3e2..793f084 100644 --- a/github_secret_scanner_test.py +++ b/github_secret_scanner_test.py @@ -1,6 +1,7 @@ def leak_secrets(): test_discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' - test_aws_secret = 'AKIAI234567890123456' + test_aws_token = 'ASIA1J8DE8JRS2LD02CX' + test_aws_secret = '75hTuwJ=13UYCEIapw+i=whe00lnj=cDfTEu9vRF' return fake_aws_secret, fake_discord_client_secret def main() From bec208f1ef4a3459770a291e4d29b2e5e1e27321 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 02:55:11 +0000 Subject: [PATCH 53/65] testing github builting scanning --- github_secret_scanner_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/github_secret_scanner_test.py b/github_secret_scanner_test.py index 793f084..ac5ce31 100644 --- a/github_secret_scanner_test.py +++ b/github_secret_scanner_test.py @@ -1,7 +1,7 @@ def leak_secrets(): test_discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' - test_aws_token = 'ASIA1J8DE8JRS2LD02CX' - test_aws_secret = '75hTuwJ=13UYCEIapw+i=whe00lnj=cDfTEu9vRF' + test_aws_token = 'AKIA1J8DE8JRS2LD02CX' + test_aws_secret = 'RoH9JavihQrzGWLnzEQtc7oOfieQua0wJKJ/pR7q' return fake_aws_secret, fake_discord_client_secret def main() From c3fefc2977e280d523fa129def6daf8de6d16e4f Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 02:57:13 +0000 Subject: [PATCH 54/65] typo in trivy action --- .github/workflows/scan-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index b77015f..db73e16 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -52,7 +52,7 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL, HIGH, MEDIUM, LOW' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' scanners: 'vuln' timeout: '15m0s' output: 'trivy-results.sarif' From d9e4d6f947d8955451b8b7d9c572311d0d1330b2 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 02:57:55 +0000 Subject: [PATCH 55/65] added push invocation to trivy --- .github/workflows/scan-image.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index db73e16..1b4741a 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -2,16 +2,16 @@ name: scan docker image on: - pull_request: - branches: - - develop - paths: - - '.github/workflows/dive.yml' - - 'docker/**' +# pull_request: +# branches: +# - develop +# paths: +# - '.github/workflows/dive.yml' +# - 'docker/**' push: - paths: - - '.github/workflows/dive.yml' - - 'docker/**' +# paths: +# - '.github/workflows/dive.yml' +# - 'docker/**' env: ORG: dea From a174f092ff3861ded053cd17dc7b0091ecd83b3d Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 03:35:45 +0000 Subject: [PATCH 56/65] reverted invocation for image scanner, specified critical CVE only --- .github/workflows/scan-image.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 1b4741a..eb0f684 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -2,16 +2,16 @@ name: scan docker image on: -# pull_request: -# branches: -# - develop -# paths: -# - '.github/workflows/dive.yml' -# - 'docker/**' + pull_request: + branches: + - develop + paths: + - '.github/workflows/dive.yml' + - 'docker/**' push: -# paths: -# - '.github/workflows/dive.yml' -# - 'docker/**' + paths: + - '.github/workflows/dive.yml' + - 'docker/**' env: ORG: dea @@ -52,7 +52,7 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' + severity: 'CRITICAL' scanners: 'vuln' timeout: '15m0s' output: 'trivy-results.sarif' From 3b71cda292aa31aa5ee6aebd3a2388e6329155a3 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 03:36:26 +0000 Subject: [PATCH 57/65] removed test secrets --- github_secret_scanner_test.py | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 github_secret_scanner_test.py diff --git a/github_secret_scanner_test.py b/github_secret_scanner_test.py deleted file mode 100644 index ac5ce31..0000000 --- a/github_secret_scanner_test.py +++ /dev/null @@ -1,12 +0,0 @@ -def leak_secrets(): - test_discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' - test_aws_token = 'AKIA1J8DE8JRS2LD02CX' - test_aws_secret = 'RoH9JavihQrzGWLnzEQtc7oOfieQua0wJKJ/pR7q' - return fake_aws_secret, fake_discord_client_secret - -def main() - print(leak_secrets) - return - -if __name__ == '__main__': - main() \ No newline at end of file From 74bbc72bec5e8213aa6dccb7685baf768e0a79c1 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 03:41:53 +0000 Subject: [PATCH 58/65] refactor --- .github/workflows/sandbox-build-push.yml | 2 +- nci_environment/build_environment_module.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sandbox-build-push.yml b/.github/workflows/sandbox-build-push.yml index 152349e..03e6453 100644 --- a/.github/workflows/sandbox-build-push.yml +++ b/.github/workflows/sandbox-build-push.yml @@ -2,7 +2,7 @@ name: Sandbox build and push latest on: workflow_run: - workflows: ["docker checker"] + workflows: ["scan docker image"] branches: [develop] types: - completed diff --git a/nci_environment/build_environment_module.py b/nci_environment/build_environment_module.py index 6304d57..98750fe 100755 --- a/nci_environment/build_environment_module.py +++ b/nci_environment/build_environment_module.py @@ -44,7 +44,6 @@ import yaml - MODULE_DIR = "/g/data/v10/public/modules" LOG_NAME = "build_dea_module.log" From ad5c5b483e6fb2db896906d85fd2e301711568fc Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 03:52:44 +0000 Subject: [PATCH 59/65] fixed reference to scan-image.yml, docs --- .github/workflows/scan-image.yml | 4 ++-- README.md | 15 ++++----------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index eb0f684..3d92b3d 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -6,11 +6,11 @@ on: branches: - develop paths: - - '.github/workflows/dive.yml' + - '.github/workflows/scan-image.yml' - 'docker/**' push: paths: - - '.github/workflows/dive.yml' + - '.github/workflows/scan-image.yml' - 'docker/**' env: diff --git a/README.md b/README.md index 38f62ec..ee2bd98 100644 --- a/README.md +++ b/README.md @@ -111,18 +111,11 @@ will be mounted at `/home/jovyan`/ - Vulnerability scan on image build - Trivy runs on push if there was any change to docker - Critical vulnerabilities will block merge - - Fix it or reach out to DaS + - If the critical vulnerability is difficult to remediate, reach out to DaS - Leaks on Commit - - GitLeaks license in repo secrets - GitLeaks will alert you if your commit diff contains secrets - Secrets in commit will block merge - Static Leak Alerts - - GitHub native secret scanning enabled -- Python security suggestions - - Bandit running on pull request - - These alerts can be found in the Code Scanning tab - - Please have a look and consider any suggestions made -- Linting - - Python Lint - - Ruff runs on push - - Docker Lint \ No newline at end of file + - EDD conducts intermittent secret scans across the GA codebase +- Python linting and security suggestions + - Any change pushed to a .py file will trigger the Python Lint workflow \ No newline at end of file From 3e8f0aa1f7a34e23debb02f681e0472ea5600b60 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 03:57:28 +0000 Subject: [PATCH 60/65] turned off scan-image for draft PR --- .github/workflows/scan-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 3d92b3d..9d66183 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -1,6 +1,7 @@ --- name: scan docker image +if: github.event.pull_request.draft == false on: pull_request: branches: From 1808143712f3d32602f5e520abe55d65fa516475 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 03:58:03 +0000 Subject: [PATCH 61/65] turned off integration-test for draft PR --- .github/workflows/integration-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index bea558f..f3ea16f 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -1,6 +1,7 @@ --- name: Integration Test +if: github.event.pull_request.draft == false on: pull_request: branches: From 5e4d74c4384e8d3e6c867c0aaf54873961075ba3 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 04:00:52 +0000 Subject: [PATCH 62/65] reverted change --- .github/workflows/integration-test.yml | 1 - .github/workflows/scan-image.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index f3ea16f..bea558f 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -1,7 +1,6 @@ --- name: Integration Test -if: github.event.pull_request.draft == false on: pull_request: branches: diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml index 9d66183..3d92b3d 100644 --- a/.github/workflows/scan-image.yml +++ b/.github/workflows/scan-image.yml @@ -1,7 +1,6 @@ --- name: scan docker image -if: github.event.pull_request.draft == false on: pull_request: branches: From 6226695aa1cf4c8c59eeb966f4edda244ba11ffb Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 04:12:16 +0000 Subject: [PATCH 63/65] only trigger python lint on PR with .py change --- .github/workflows/python-lint.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 6e52f9a..2f5479e 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -1,6 +1,8 @@ name: Python Lint on: pull_request: + paths: + - '**.py' workflow_dispatch: push: paths: From 9955b8bb08f35b404db66d972076d661f0bf0b44 Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 04:21:05 +0000 Subject: [PATCH 64/65] set gitleaks fetch depth to 1. It will NOT scan commit history --- .github/workflows/gitleaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 995ec63..11f5c94 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -11,7 +11,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - fetch-depth: 0 + fetch-depth: 1 - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 46bfea06b193074d5f1003899666ab87a72202ac Mon Sep 17 00:00:00 2001 From: Xavier Gonzalez Date: Fri, 16 Jan 2026 04:24:19 +0000 Subject: [PATCH 65/65] ignored fake secrets with gitleaks config --- .github/workflows/gitleaks.yml | 2 +- .gitleaks.toml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 .gitleaks.toml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 11f5c94..995ec63 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -11,7 +11,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - fetch-depth: 1 + fetch-depth: 0 - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..c38fc7d --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,7 @@ +[allowlist] +description = "Allow fake secrets used for testing" + +regexes = [ + "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ", + "AKIAI234567890123456", +] \ No newline at end of file