security: add bandit + semgrep scans and OpenSSF badge-ready policy docs#7
Merged
security: add bandit + semgrep scans and OpenSSF badge-ready policy docs#7
Conversation
- bandit runs in pre-commit at medium+ severity; `-ll` hides stylistic low-severity findings while still blocking on real risks. - semgrep runs in a new CI job with `p/python`, `p/security-audit`, and `p/owasp-top-ten` rule packs. - Single false-positive urlopen finding in updater.py (URL is a hardcoded https constant) suppressed inline with a justification comment. - CI workflow declares least-privilege `contents: read`, resolving five CodeQL "workflow missing permissions" alerts. - Adds SECURITY.md (private reporting via GitHub Security Advisories, 14-day response commitment, explicit in/out-of-scope), CONTRIBUTING.md (contribution, testing, and code-style policy), and CHANGELOG.md. - README cross-links the new policy docs, fixes a missing code-block language tag, and is rewrapped at 80 chars for cleaner diffs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
-llhides stylistic low-severity findings while still blocking on real risks.p/python,p/security-audit, andp/owasp-top-tenrule packs.contents: read, resolving five CodeQL "workflow missing permissions" alerts.