Linting and Security Scans

.github/workflows/gitleaks.yml

@@ -0,0 +1,18 @@
+name: gitleaks
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

.github/workflows/python-lint.yml

@@ -0,0 +1,27 @@
+name: Python Lint
+on:
+  pull_request:
+    paths:
+    - '**.py'
+  workflow_dispatch:
+  push:
+    paths:
+      - '**.py'
+
+jobs:
+  ruff:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install ruff
+      - run: ruff check --output-format=github .
+
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+        - name: Perform Bandit Analysis
+          uses: PyCQA/bandit-action@v1
+

.github/workflows/sandbox-build-push.yml

@@ -2,7 +2,7 @@ name: Sandbox build and push latest
 
 on:
   workflow_run:
-    workflows: ["docker checker"]
+    workflows: ["scan docker image"]
     branches: [develop]
     types:
       - completed

.github/workflows/dive.yml → .github/workflows/scan-image.yml

@@ -1,17 +1,16 @@
 ---
-name: docker checker
+name: scan docker image
 
 on:
   pull_request:
     branches:
       - develop
     paths:
-      - '.github/workflows/dive.yml'
+      - '.github/workflows/scan-image.yml'
       - 'docker/**'
-
   push:
     paths:
-      - '.github/workflows/dive.yml'
+      - '.github/workflows/scan-image.yml'
       - 'docker/**'
 
 env:
@@ -23,7 +22,7 @@ env:
 jobs:
   dive:
     runs-on: ubuntu-latest
-    name: Analyze image efficiency
+    name: Build and Scan image
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -44,6 +43,25 @@ jobs:
         run: |
           docker build -t ${ORG}/${IMAGE}:_build ./docker/
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.33.1
+        continue-on-error: true
+        with:
+          image-ref: '${{ env.ORG }}/${{ env.IMAGE }}:_build'
+          format: 'sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
+          scanners: 'vuln'
+          timeout: '15m0s'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: Free disk space
         run: |
           sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc /usr/local/share/boost "$AGENT_TOOLSDIRECTORY" || true

.gitleaks.toml

@@ -0,0 +1,7 @@
+[allowlist]
+description = "Allow fake secrets used for testing"
+
+regexes = [
+  "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ",
+  "AKIAI234567890123456",
+]

README.md

@@ -106,3 +106,16 @@ the `docker-compose.override.yml` file, which provides a postgres container.
 
 Any files in the `./notebooks` folder will be mounted in the user's home folder. That is to say that `./notebooks`
 will be mounted at `/home/jovyan`/
+
+## CI and Security
+- Vulnerability scan on image build
+    - Trivy runs on push if there was any change to docker
+    - Critical vulnerabilities will block merge
+    - If the critical vulnerability is difficult to remediate, reach out to DaS
+- Leaks on Commit
+    - GitLeaks will alert you if your commit diff contains secrets
+    - Secrets in commit will block merge
+- Static Leak Alerts
+    - EDD conducts intermittent secret scans across the GA codebase
+- Python linting and security suggestions
+    - Any change pushed to a .py file will trigger the Python Lint workflow

docker/README.md

@@ -25,4 +25,4 @@ When time comes to make a bigger change or update some binary packages, remember
 to move packages listed in `Dockerfile` into `requirements.txt`.
 
 At the end of compiling solve any incompatibility output from `pip check` by adding the version
-in `constraints-odc.txt`.
+in `constraints-odc.txt`.