Merge pull request #31 from awslabs/fix/container-security-and-linting

fix: improve container build reliability and security workflow

Author: fgogolli

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -16,7 +16,7 @@ body:
     attributes:
       label: Version
       description: What version of the plugin are you running?
-      placeholder: e.g., 1.0.0
+      placeholder: e.g., 0.1.0
     validations:
       required: true
 
@@ -26,10 +26,11 @@ body:
       label: Python Version
       description: What version of Python are you using?
       options:
-        - Python 3.8
         - Python 3.9
         - Python 3.10
         - Python 3.11
+        - Python 3.12
+        - Python 3.13
         - Other (specify in environment details)
     validations:
       required: true

.github/workflows/container.yml

@@ -220,6 +220,10 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
+    - name: Build package wheel
+      run: |
+        make build
+
     - name: Build container using dev-tools script
       env:
         REGISTRY: ${{ needs.get-config.outputs.container-registry }}
@@ -229,6 +233,7 @@ jobs:
         PLATFORMS: linux/amd64,linux/arm64
         PUSH: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.event_name == 'release' || github.event.inputs.push_images == 'true') }}
         CACHE: true
+        SKIP_BUILD: true
       run: |
         make container-build-single PYTHON_VERSION=${{ matrix.python-version }}
 
@@ -257,7 +262,6 @@ jobs:
 
         # Stop test container
         docker stop test-container
-      continue-on-error: true
 
   container-manifest:
     name: Create Multi-Architecture Manifests

.github/workflows/security.yml

@@ -149,7 +149,6 @@ jobs:
 
     - name: Run Bandit security scan
       run: make ci-security-bandit
-      continue-on-error: true
 
   security-safety:
     name: Safety (Dependency Scan)
@@ -183,7 +182,6 @@ jobs:
 
     - name: Run Safety dependency scan
       run: make ci-security-safety
-      continue-on-error: true
   security-hadolint:
     name: Hadolint (Dockerfile Scan)
     runs-on: ubuntu-latest

.gitignore

@@ -12,12 +12,22 @@ requirements-dev.txt
 work/
 
 # Security and analysis reports
+*.sarif
+*-results.sarif
+*-report.json
+*-report.sarif
 bandit-report.json
 bandit-report.sarif
 bandit-results.sarif
 hadolint-results.sarif
 trivy-results.json
 trivy-results.sarif
+semgrep.sarif
+semgrep-results.sarif
+safety-report.*
+codeql-results/
+security-reports/
+vulnerability-reports/
 safety-report.json
 security-report.json
 security-report.md

.pre-commit-config.yaml

@@ -59,7 +59,6 @@ repos:
         files: \.(py)$
         pass_filenames: false
         description: "Run bandit security analysis"
-        warning_only: true  # Allow this to fail without blocking commit
 
       - id: safety
         name: safety (Dependency Security)
@@ -68,7 +67,6 @@ repos:
         files: requirements.*\.txt$|pyproject\.toml$
         pass_filenames: false
         description: "Check dependencies for known security vulnerabilities"
-        warning_only: true  # Allow this to fail without blocking commit
 
       - id: hadolint
         name: hadolint (Dockerfile Linting)

Makefile

@@ -60,9 +60,9 @@ DOCS_DIR := docs
 DOCS_BUILD_DIR := $(DOCS_DIR)/site
 
 # Centralized tool execution function
-# Usage: $(call run-tool,tool-name,arguments)
+# Usage: $(call run-tool,tool-name,arguments[,working-dir])
 define run-tool
-	@dev-tools/scripts/run_tool.sh $(1) $(2)
+	$(if $(3),cd $(3) && ../dev-tools/scripts/run_tool.sh $(1) $(2),@dev-tools/scripts/run_tool.sh $(1) $(2))
 endef
 
 help:  ## Show this help message
@@ -476,7 +476,7 @@ ci-quality-flake8:  ## Run flake8 style guide check
 
 ci-quality-mypy:  ## Run mypy type checking
 	@echo "Running mypy type check..."
-	$(call run-tool,mypy,$(PACKAGE) $(TESTS))
+	$(call run-tool,mypy,.,$(PACKAGE))
 
 ci-quality-pylint:  ## Run pylint code analysis
 	@echo "Running pylint analysis..."

dev-tools/scripts/container_build.sh

@@ -33,6 +33,7 @@ VCS_REF=$(git rev-parse --short HEAD 2>/dev/null || echo 'unknown')
 # Python version support (from Makefile environment variables)
 PYTHON_VERSION="${PYTHON_VERSION:-$(make -s print-DEFAULT_PYTHON_VERSION 2>/dev/null || echo '3.13')}"  # Dynamic from Makefile with fallback
 MULTI_PYTHON="${MULTI_PYTHON:-false}"     # Flag for multi-Python builds
+SKIP_BUILD="${SKIP_BUILD:-false}"          # Flag to skip package building
 
 # Build arguments
 PLATFORMS="${PLATFORMS:-linux/amd64,linux/arm64}"
@@ -100,8 +101,14 @@ setup_builder() {
 build_image() {
     log_info "Building Docker image..."
 
-    # Build wheel first if it doesn't exist
-    if ! ls dist/*.whl 1> /dev/null 2>&1; then
+    # Build wheel first if it doesn't exist and not skipped
+    if [[ "${SKIP_BUILD}" == "true" ]]; then
+        log_info "Skipping package build (SKIP_BUILD=true)"
+        if ! ls dist/*.whl 1> /dev/null 2>&1; then
+            log_error "No wheel package found and SKIP_BUILD=true. Build package first."
+            exit 1
+        fi
+    elif ! ls dist/*.whl 1> /dev/null 2>&1; then
         log_info "Building wheel package..."
         make build || {
             log_error "Failed to build wheel package"
@@ -269,6 +276,7 @@ usage() {
     echo "  PLATFORMS           Target platforms"
     echo "  PUSH                Push to registry (true/false)"
     echo "  CACHE               Use build cache (true/false)"
+    echo "  SKIP_BUILD          Skip package building (true/false)"
     echo ""
     echo "Examples:"
     echo "  $0                                    # Build local image"

dev-tools/scripts/run_tool.sh

@@ -11,33 +11,28 @@ shift  # Remove tool name from arguments
 setup_environment() {
     # UV-first approach (fastest and most reliable)
     if command -v uv >/dev/null 2>&1; then
-        # Check if we're in a UV project
-        if [ -f "pyproject.toml" ] || [ -f "uv.lock" ]; then
-            echo "Using UV-managed environment..."
-            return 0
-        fi
-    fi
-
-    # Fallback to .venv if it exists
-    if [ -f ".venv/bin/activate" ]; then
-        echo "Using existing .venv environment..."
-        # shellcheck disable=SC1091
-        source .venv/bin/activate
-        return 0
+        # Check if we're in a UV project (current dir or parent dirs)
+        current_dir="$PWD"
+        while [ "$current_dir" != "/" ]; do
+            if [ -f "$current_dir/pyproject.toml" ] || [ -f "$current_dir/uv.lock" ]; then
+                echo "Using UV-managed environment..."
+                return 0
+            fi
+            current_dir=$(dirname "$current_dir")
+        done
     fi
 
-    # Create venv if none exists and we're in a project directory
-    if [ -f "pyproject.toml" ] && [ ! -d ".venv" ]; then
-        echo "Creating virtual environment..."
-        if command -v uv >/dev/null 2>&1; then
-            uv venv
-        else
-            python3 -m venv .venv
+    # Fallback to .venv if it exists (check parent dirs too)
+    current_dir="$PWD"
+    while [ "$current_dir" != "/" ]; do
+        if [ -f "$current_dir/.venv/bin/activate" ]; then
+            echo "Using existing .venv environment..."
             # shellcheck disable=SC1091
-            source .venv/bin/activate
+            source "$current_dir/.venv/bin/activate"
+            return 0
         fi
-        return 0
-    fi
+        current_dir=$(dirname "$current_dir")
+    done
 
     # Use system environment as last resort
     echo "Using system environment..."
@@ -48,10 +43,45 @@ run_tool() {
 
     echo "Running ${TOOL_NAME}..."
 
+    # Find project root for UV
+    project_root="$PWD"
+    while [ "$project_root" != "/" ]; do
+        if [ -f "$project_root/pyproject.toml" ] || [ -f "$project_root/uv.lock" ]; then
+            break
+        fi
+        project_root=$(dirname "$project_root")
+    done
+
     # Try different execution methods in order of preference
-    if command -v uv >/dev/null 2>&1 && { [ -f "pyproject.toml" ] || [ -f "uv.lock" ]; }; then
+    if command -v uv >/dev/null 2>&1 && [ -f "$project_root/pyproject.toml" ]; then
         echo "Executing with UV..."
-        uv run "${TOOL_NAME}" "$@"
+        # If we're in a subdirectory of the project, adjust paths for UV
+        if [ "$PWD" != "$project_root" ]; then
+            # We're in a subdirectory (like src/), need to adjust paths
+            adjusted_args=""
+            for arg in "$@"; do
+                case "$arg" in
+                    .*)
+                        # Relative path - adjust it relative to project root
+                        rel_to_root=$(realpath --relative-to="$project_root" "$PWD/$arg" 2>/dev/null || python3 -c "import os; print(os.path.relpath(os.path.join('$PWD', '$arg'), '$project_root'))")
+                        adjusted_args="$adjusted_args $rel_to_root"
+                        ;;
+                    *)
+                        # Other arguments - keep as is
+                        adjusted_args="$adjusted_args $arg"
+                        ;;
+                esac
+            done
+            if [ -n "$adjusted_args" ]; then
+                # shellcheck disable=SC2086
+                (cd "$project_root" && uv run "${TOOL_NAME}" $adjusted_args)
+            else
+                (cd "$project_root" && uv run "${TOOL_NAME}")
+            fi
+        else
+            # We're in project root
+            uv run "${TOOL_NAME}" "$@"
+        fi
     elif [ -f ".venv/bin/${TOOL_NAME}" ]; then
         echo "Executing with venv..."
         .venv/bin/"${TOOL_NAME}" "$@"
@@ -60,7 +90,33 @@ run_tool() {
         "${TOOL_NAME}" "$@"
     else
         echo "Executing as Python module..."
-        python3 -m "${TOOL_NAME}" "$@"
+        if command -v uv >/dev/null 2>&1 && [ -f "$project_root/pyproject.toml" ]; then
+            # Same path adjustment for python -m
+            if [ "$PWD" != "$project_root" ]; then
+                adjusted_args=""
+                for arg in "$@"; do
+                    case "$arg" in
+                        .*)
+                            rel_to_root=$(realpath --relative-to="$project_root" "$PWD/$arg" 2>/dev/null || python3 -c "import os; print(os.path.relpath(os.path.join('$PWD', '$arg'), '$project_root'))")
+                            adjusted_args="$adjusted_args $rel_to_root"
+                            ;;
+                        *)
+                            adjusted_args="$adjusted_args $arg"
+                            ;;
+                    esac
+                done
+            if [ -n "$adjusted_args" ]; then
+                # shellcheck disable=SC2086
+                (cd "$project_root" && uv run python -m "${TOOL_NAME}" $adjusted_args)
+            else
+                (cd "$project_root" && uv run python -m "${TOOL_NAME}")
+            fi
+            else
+                uv run python -m "${TOOL_NAME}" "$@"
+            fi
+        else
+            python3 -m "${TOOL_NAME}" "$@"
+        fi
     fi
 }
 

dev-tools/security/detect_secrets.py

@@ -57,7 +57,9 @@ def detect_secrets(source_dir: str = "src") -> bool:
         logger.error("Potential hardcoded secrets found:")
         for secret in found_secrets:
             # Security: Don't log the actual secret content, only the location
-            logger.error(f"  Secret detected at: {secret.split(':')[0] if ':' in secret else 'unknown location'}")
+            logger.error(
+                f"  Secret detected at: {secret.split(':')[0] if ':' in secret else 'unknown location'}"
+            )
         return False
     else:
         logger.info("No hardcoded secrets detected")

mypy.ini

@@ -4,6 +4,12 @@ python_version = 3.11
 warn_return_any = True
 warn_unused_configs = True
 
+# Pydantic plugin
+plugins = pydantic.mypy
+
+# Exclude installed packages to avoid module conflicts
+exclude = ^(\.venv/|build/|dist/|\.eggs/|.*\.egg-info/|docs/|memory-bank/)
+
 # Type checking strictness
 disallow_untyped_defs = True
 disallow_incomplete_defs = True
@@ -33,6 +39,7 @@ error_summary = True
 ignore_missing_imports = False
 follow_imports = normal
 follow_imports_for_stubs = True
+explicit_package_bases = True
 
 # Disallow dynamic typing
 disallow_any_unimported = True