sandialabs
diff --git a/‎.bandit‎
Lines changed: 19 additions & 0 deletions b/‎.bandit‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.dockerignore‎
Lines changed: 82 additions & 0 deletions b/‎.dockerignore‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎.github/CICD.md‎
Lines changed: 144 additions & 0 deletions b/‎.github/CICD.md‎
Lines changed: 144 additions & 0 deletions
diff --git a/‎.github/SECURITY.md‎
Lines changed: 55 additions & 0 deletions b/‎.github/SECURITY.md‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 46 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 46 additions & 0 deletions
@@ -0,0 +1,19 @@
+[bandit]
+# Bandit configuration file
+exclude_dirs = [
+    "tests",
+    "build",
+    ".git"
+]
+
+# Skip these test IDs
+skips = [
+    # B101: Test for use of assert
+    "B101"
+]
+
+# Confidence levels: LOW, MEDIUM, HIGH
+confidence = "HIGH"
+
+# Severity levels: LOW, MEDIUM, HIGH  
+severity = "MEDIUM"
@@ -0,0 +1,82 @@
+# Version control
+.git
+.gitignore
+
+# Documentation
+*.md
+docs/
+
+# Development tools
+.vscode/
+.idea/
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Testing
+.tox/
+.coverage
+.coverage.*
+.cache
+.pytest_cache/
+coverage.xml
+*.cover
+htmlcov/
+
+# Virtual environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Logs
+*.log
+
+# Security
+.bandit
+bandit-report.json
+safety-report.json
+trivy-results.sarif
+
+# CI/CD
+.github/
@@ -0,0 +1,144 @@
+# GitHub CI/CD Configuration
+
+This directory contains the GitHub Actions workflows and configuration for the TalkPipe project's automated CI/CD pipeline.
+
+## Files Overview
+
+### Workflows (`workflows/`)
+
+#### `ci-cd.yml` - Main CI/CD Pipeline
+Comprehensive pipeline that runs on:
+- Pushes to `main` and `develop` branches  
+- Pull requests to `main` and `develop`
+- GitHub releases
+
+**Pipeline Jobs:**
+1. **Test** - Multi-version Python testing (3.11, 3.12) with coverage
+2. **Security Scan** - SAST and dependency vulnerability scanning
+3. **Build Container** - Docker image build/push with container security scan
+4. **CodeQL Analysis** - GitHub's semantic code analysis
+5. **Publish Package** - Automated PyPI publishing on releases
+
+### Configuration Files
+
+- **`dependabot.yml`** - Automated dependency updates (weekly schedule)
+- **`SECURITY.md`** - Security policy and vulnerability reporting guidelines
+
+### Root Level Security Files
+
+- **`.bandit`** - Configuration for Bandit static security analysis
+- **`.dockerignore`** - Optimized Docker build context exclusions
+
+## Security Scanning
+
+The pipeline includes multiple layers of security scanning:
+
+- **Bandit** - Python static analysis security testing (SAST)
+- **Safety** - Python dependency vulnerability scanning  
+- **Trivy** - Container image vulnerability scanning
+- **CodeQL** - Semantic code analysis for security issues
+- **Dependabot** - Automated dependency update PRs
+
+## Container Registry
+
+Docker images are built and pushed to GitHub Container Registry:
+```
+ghcr.io/sandialabs/talkpipe:latest
+ghcr.io/sandialabs/talkpipe:<branch-name>
+ghcr.io/sandialabs/talkpipe:<version>
+```
+
+## Required Repository Secrets
+
+To enable full functionality, set these secrets in your GitHub repository settings (`Settings > Secrets and variables > Actions`):
+
+### Required for PyPI Publishing
+- **`PYPI_API_TOKEN`** - PyPI API token for automated package publishing
+  - Create at: https://pypi.org/manage/account/token/
+  - Scope: Entire account or specific to talkpipe project
+  - Used in: Package publishing job (triggered on releases)
+
+### Automatic Secrets (No Action Required)
+- **`GITHUB_TOKEN`** - Automatically provided by GitHub Actions
+  - Used for: Container registry authentication, uploading artifacts, CodeQL results
+
+## Setup Instructions
+
+1. **Enable GitHub Container Registry** (if not already enabled):
+   - Go to repository `Settings > General`
+   - Scroll to "Features" section
+   - Ensure "Packages" is enabled
+
+2. **Set PyPI Token**:
+   ```bash
+   # In repository Settings > Secrets and variables > Actions
+   # Add new repository secret:
+   Name: PYPI_API_TOKEN
+   Secret: pypi-your-token-here
+   ```
+
+3. **Configure Dependabot** (optional customization):
+   - Edit `.github/dependabot.yml` to adjust reviewers/assignees
+   - Default: weekly updates on Mondays at 9 AM UTC
+
+## Testing Locally
+
+Before pushing, you can test components locally:
+
+```bash
+# Run tests with coverage (matches CI)
+pytest --cov=src --cov-report=xml --cov-report=html
+
+# Run security scans
+bandit -r src/
+safety check
+
+# Build container (matches CI)
+docker build -t talkpipe:local .
+
+# Run container security scan
+docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
+  aquasec/trivy image talkpipe:local
+```
+
+## Workflow Triggers
+
+| Event | Trigger | Jobs Run |
+|-------|---------|----------|
+| Push to main/develop | Automatic | All jobs |
+| Pull Request | Automatic | All except publish |
+| Release published | Automatic | All jobs + PyPI publish |
+| Manual trigger | `workflow_dispatch` | All jobs |
+
+## Monitoring
+
+- **Test Results**: Visible in Actions tab and PR checks
+- **Coverage Reports**: Uploaded to Codecov (if configured)
+- **Security Issues**: Reported in Security tab (CodeQL, Trivy)
+- **Container Images**: Available in Packages tab
+
+## Troubleshooting
+
+**Common Issues:**
+
+1. **PyPI Publishing Fails**:
+   - Verify `PYPI_API_TOKEN` is set correctly
+   - Ensure token has sufficient permissions
+   - Check package version doesn't already exist
+
+2. **Container Build Fails**:
+   - Check Dockerfile syntax
+   - Verify base image availability
+   - Review build logs in Actions tab
+
+3. **Tests Fail**:
+   - Run tests locally first
+   - Check dependency compatibility
+   - Review test logs in Actions tab
+
+4. **Security Scans Fail**:
+   - Review Bandit/Safety reports
+   - Update vulnerable dependencies
+   - Add exclusions to `.bandit` if needed
+
+For additional help, check the Actions tab logs or create an issue in the repository.
@@ -0,0 +1,55 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in TalkPipe, please report it responsibly:
+
+### Private Disclosure
+
+1. **DO NOT** create a public GitHub issue for security vulnerabilities
+2. Email security reports to: tlbauer@sandia.gov
+3. Include the following information:
+   - Description of the vulnerability
+   - Steps to reproduce the issue
+   - Potential impact
+   - Suggested fix (if available)
+
+### What to Expect
+
+- **Response Time**: We aim to acknowledge receipt within 2 business days
+- **Initial Assessment**: Initial security assessment within 5 business days
+- **Updates**: We will provide updates on our progress every 7 days until resolution
+- **Disclosure**: After the vulnerability is fixed, we will coordinate public disclosure
+
+### Security Best Practices
+
+When using TalkPipe:
+
+1. **Keep Dependencies Updated**: Regularly update TalkPipe and its dependencies
+2. **Secure Configuration**: Follow security best practices for API keys and configuration
+3. **Container Security**: When using Docker, ensure base images are up to date
+4. **Network Security**: Implement appropriate network security measures
+5. **Access Control**: Limit access to TalkPipe deployments to authorized users only
+
+### Security Features
+
+TalkPipe includes several security measures:
+
+- Dependency scanning via Safety and Bandit
+- Container vulnerability scanning with Trivy  
+- Static code analysis with CodeQL
+- Automated dependency updates via Dependabot
+- Non-root container execution
+- Input validation and sanitization
+
+### Acknowledgments
+
+We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged (unless they prefer to remain anonymous) in our security advisories and release notes.
@@ -0,0 +1,46 @@
+version: 2
+updates:
+  # Enable version updates for Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    reviewers:
+      - "tlbauer"
+    assignees:
+      - "tlbauer2"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    reviewers:
+      - "tlbauer"
+    assignees:  
+      - "tlbauer"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    
+  # Enable version updates for Docker
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday" 
+      time: "09:00"
+    reviewers:
+      - "tlbauer"
+    assignees:
+      - "tlbauer2"
+    commit-message:
+      prefix: "docker"
+      include: "scope"