Merge pull request #28 from awslabs/sec_updates

fgogolli · web-flow · commit 1c8451d44535 · 2025-08-14T11:50:45.000+01:00
Security improvements and trivy integration
diff --git a/.gitignore b/.gitignore
@@ -202,3 +202,9 @@ Thumbs.db
 local_settings.py
 instance/
 .webassets-cache
+
+# Security scan results
+bandit-results*.json
+trivy-*.sarif
+semgrep-results.json
+safety-results.json
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,18 @@
+# Trivy ignore file for security scanning exceptions
+
+# Moto testing library certificates - these are test certificates for AWS mocking
+# Not actual private keys used in production
+**/.venv/lib/python*/site-packages/moto/moto_proxy/ca.key
+**/.venv/lib/python*/site-packages/moto/moto_proxy/cert.key
+.venv/lib/python*/site-packages/moto/moto_proxy/ca.key
+.venv/lib/python*/site-packages/moto/moto_proxy/cert.key
+
+# Development and test dependencies should not be scanned in production
+.venv/**
+__pycache__/**
+*.pyc
+.pytest_cache/**
+.coverage
+htmlcov/**
+.tox/**
+.mypy_cache/**
diff --git a/Makefile b/Makefile
@@ -572,7 +572,7 @@ ci-security-semgrep:  ## Run Semgrep static analysis
 ci-security-trivy-fs:  ## Run Trivy filesystem scan
 	@echo "Running Trivy filesystem scan..."
 	@if command -v trivy >/dev/null 2>&1; then \
-		trivy fs --format sarif --output trivy-fs-results.sarif . || echo "Trivy filesystem issues found"; \
+		trivy fs --skip-dirs .venv --format sarif --output trivy-fs-results.sarif . || echo "Trivy filesystem issues found"; \
 	else \
 		echo "Trivy not available - install from https://aquasecurity.github.io/trivy/"; \
 	fi
diff --git a/src/config/schemas/server_schema.py b/src/config/schemas/server_schema.py
@@ -56,6 +56,7 @@ class ServerConfig(BaseModel):
     model_config = ConfigDict(extra="forbid")
 
     enabled: bool = Field(False, description="Enable REST API server")
+    # nosec B104: Intentional binding for server deployment
     host: str = Field("0.0.0.0", description="Server host")
     port: int = Field(8000, description="Server port")
     workers: int = Field(1, description="Number of worker processes")
diff --git a/src/interface/serve_command_handler.py b/src/interface/serve_command_handler.py
@@ -21,6 +21,7 @@ async def handle_serve_api(args) -> Dict[str, Any]:
     logger = get_logger(__name__)
 
     # Extract parameters from args
+    # nosec B104: Intentional binding for server deployment
     host = getattr(args, "host", "0.0.0.0")
     port = getattr(args, "port", 8000)
     workers = getattr(args, "workers", 1)
