chore: fix compliance gaps surfaced by automated-assessment#75
Merged
chore: fix compliance gaps surfaced by automated-assessment#75
Conversation
…late) Closes governance gaps surfaced by the automated-assessment run: - SECURITY.md: private vulnerability reporting (advisories + email) - CHANGELOG.md: Keep-a-Changelog format with an Unreleased bucket - .github/CODEOWNERS: default reviewer team per area - .github/PULL_REQUEST_TEMPLATE.md: summary/test-plan/checklist Covers: GH-3, GH-5, GW-05, GW-06, ER-44. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
- codeql.yml: reuses existing .github/codeql/codeql-config.yml (security-extended + security-and-quality queries), weekly + per-PR. - scorecard.yml: weekly OpenSSF Scorecard analysis, publishes to scorecard.dev and uploads SARIF to the Security tab. - dependency-review.yml: blocks PRs that introduce vulnerable dependencies at moderate severity or above. All actions SHA-pinned. Covers: ER-19/20/21, GH-19. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Install locally with: uv run pre-commit install Hooks: - pre-commit-hooks v6.0.0: whitespace, EOL, YAML/JSON validity, large file guard, merge-conflict markers. - flake8 7.3.0 / isort 8.0.1 / black 26.3.1: Python lint and format. - shellcheck v0.11.0 (warning severity): shell script hygiene. Covers: GW-14. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
agent-rules checkpoints require canonical headings for automated scanning. Rename/restructure to the canonical names and add the two missing sections: - 'Package management (uv)' → 'Setup' (AG-03) - 'Quick reference' → 'Commands (verified 2026-04-16)' (AG-04) - 'Project overview' → 'Architecture', with Project structure (AG-05) - New 'Development' section with hook install + branch/commit conventions (AG-06) - New 'Testing' section with focused pytest invocations (AG-07) - 'Last verified' footer (AG-18) Covers AG-03, AG-04, AG-05, AG-06, AG-07, AG-18. Content preserved; only structure changed. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
- security.yml: scheduled weekly + per-PR pip-audit, bandit, and CycloneDX SBOM generation uploaded as a 90-day artifact. - .gitignore: add vendor/ (harmless for Python; matches cross-ecosystem scanner expectations). Covers: ER-01, ER-02, ER-03, GW-03. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Audit-mode egress monitoring on codeql, scorecard, and dependency-review workflows. Non-blocking; reports unexpected network calls. Covers: ER-27. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request establishes project governance and CI/CD infrastructure by adding a changelog, security policy, code owners, and a PR template. It also introduces pre-commit hooks for linting and formatting and expands the documentation in AGENTS.md. Feedback suggests updating the pre-commit configuration to include the audit.py entry point in the flake8, isort, and black hooks, as it is currently excluded.
There was a problem hiding this comment.
Pull request overview
This PR addresses compliance gaps flagged by the repository’s automated assessment by adding governance documentation, tightening developer workflow hygiene, and introducing additional supply-chain/security GitHub Actions.
Changes:
- Add governance artifacts (SECURITY policy, changelog, CODEOWNERS, PR template) and update AGENTS/README for compliance structure and badges.
- Add new GitHub Actions workflows for CodeQL, OpenSSF Scorecard, dependency review, and a security workflow (pip-audit/bandit + CycloneDX SBOM).
- Introduce a pre-commit configuration and minor repository hygiene updates (e.g.,
vendor/in.gitignore).
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| SECURITY.md | Adds a security vulnerability reporting policy and scope. |
| README.md | Adds status/compliance badges for CI and security tooling. |
| CHANGELOG.md | Introduces a changelog to track notable changes. |
| AGENTS.md | Re-structures contributor instructions into canonical sections with a “Last verified” footer. |
| .pre-commit-config.yaml | Adds pre-commit hooks (formatting/linting/hygiene + shellcheck). |
| .gitignore | Ignores vendor/ for ad-hoc vendoring/checkouts. |
| .github/workflows/security.yml | Adds scheduled/on-push security audit and SBOM generation workflow. |
| .github/workflows/scorecard.yml | Adds OpenSSF Scorecard workflow publishing SARIF results. |
| .github/workflows/dependency-review.yml | Adds dependency review on PRs. |
| .github/workflows/codeql.yml | Adds CodeQL analysis workflow for Python. |
| .github/PULL_REQUEST_TEMPLATE.md | Adds a PR template with test plan and checklist. |
| .github/CODEOWNERS | Adds CODEOWNERS rules for default ownership. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
GitHub's default setup is already configured for this repo (query suite: extended), and it rejected uploads from the new advanced workflow with: CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled. Drop the workflow, drop the README badge that would otherwise point at a missing file. CodeQL results remain visible in the Security tab. Fixes PR #75 CI failure. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Follow-up to the previous commit — the CodeQL workflow file was dropped, so its badge would 404. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Review feedback from Copilot on PR #75: - pip-audit previously ran against the bare runner environment, so it effectively audited nothing. Now uses uv: `uv sync --all-extras --dev --frozen` → `uv export > requirements.txt` → `pip-audit -r`. - SBOM job similarly needed the project installed before cyclonedx-py could enumerate real dependencies; now syncs first. - Dropped the unused `id-token: write` and `attestations: write` permissions on the SBOM job (not creating attestations). - bandit now runs with `-ll` (medium+ severity) and picks up a new `[tool.bandit]` skip list in pyproject.toml with per-ID justifications for B101/B310/B404/B603/B607. - Fixed two real B108 findings by replacing hardcoded '/tmp/...' paths with `tempfile.gettempdir()` in cli_audit/bulk.py and cli_audit/upgrade.py — the cleanup path now actually matches tempfile.mkdtemp's location on systems where TMPDIR is non-default. - One documented shell=True in detection.py (catalog-sourced shell pipelines, never user input) gets an explicit `# nosec B602`. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
- dependency-review.yml: grant `pull-requests: write` so the `comment-summary-in-pr` step can post the summary (Copilot). - pre-commit hooks: include `audit.py` in the flake8/isort/black globs alongside cli_audit/ and tests/ (gemini-code-assist × 3). - CHANGELOG: badge list now reflects reality — CI, Codecov, OpenSSF Scorecard, License (no CodeQL badge; default setup handles it). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Contributor
Dependency ReviewThe following issues were found:
License Issues.github/workflows/security.yml
OpenSSF Scorecard
Scanned Files
|
Paired fix for the B108 tempfile.gettempdir() change in bulk.py — the existing assertion hardcoded '/tmp/rollback_', which fails on macOS where tempfile.gettempdir() resolves to /var/folders/.../T/. Fixes macOS CI failure on PR #75. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Review feedback — all five items addressed: - Deleted SECURITY.md: the org-level netresearch/.github/SECURITY.md already defines the private-reporting flow (no email address) and applies to every netresearch repo. A repo-level copy is redundant. - Deleted .github/CODEOWNERS: referenced @netresearch/coding-agents which is not a real team. None of the existing netresearch teams fit this repo, so leave CODEOWNERS out rather than invent one. - Deleted .github/workflows/scorecard.yml + its README badge: the project isn't registered at scorecard.dev; the workflow would produce results nobody consumes and the badge would 404. - Dropped the Codecov badge: ci.yml already runs codecov-action but uploads fail silently with 'Token required because branch is protected' (no CODECOV_TOKEN secret configured). Badge was misleading — remove until the secret is wired up. - Reusable workflows: checked netresearch/typo3-ci-workflows and netresearch/.github; both only ship TYPO3/Composer-specific workflows (composer-audit etc.). No Python reusable workflow exists yet, so the two remaining new workflows (security.yml, dependency-review.yml) stay as direct-action workflows — matching the existing ci.yml and release.yml pattern. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
…sables Review feedback: use reusable workflows from netresearch/.github instead of direct action calls (matching the node / Go projects). - security.yml → calls the new python-audit.yml (netresearch/.github#19, pinned to @feat/python-audit-workflow until that PR merges). Same three jobs (pip-audit, bandit, sbom) but centrally maintained. - dependency-review.yml → calls netresearch/.github's reusable dependency-review.yml, with fail-on-severity: moderate. - auto-merge-deps.yml → calls netresearch/.github's reusable auto-merge-deps.yml. The org version is identical to what we had locally; deduplicated. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Codecov uploads were silently failing on main with "Token required because branch is protected" because the action was invoked without a token. The repo has CODECOV_TOKEN configured (same as the other netresearch projects) — just needed to pass it through. Also renamed the deprecated 'file' input to 'files' — v6 of the action ignores 'file' and emits a warning. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
- CODEOWNERS: use real teams @netresearch/netresearch (catch-all + Python / scripts / CI owners) and @netresearch/typo3 (secondary reviewer, per org convention). - README: Codecov badge restored now that ci.yml actually uploads with CODECOV_TOKEN. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
CybotTM
added a commit
that referenced
this pull request
Apr 17, 2026
Follow-up to #75 — the reusable workflow [netresearch/.github#19][org-pr] has merged to main, so drop the temporary @feat/python-audit-workflow pin. [org-pr]: netresearch/.github#19 Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
2 tasks
CybotTM
added a commit
that referenced
this pull request
Apr 17, 2026
Follow-up to #75. The reusable `python-audit.yml` workflow [merged into netresearch/.github main](netresearch/.github#19), so drop the temporary `@feat/python-audit-workflow` pin. ## Test plan - [x] YAML valid (`python3 -c "import yaml; yaml.safe_load(...)"`) - [ ] On-push CI: `audit / pip-audit`, `audit / bandit`, `audit / CycloneDX SBOM` all resolve `python-audit.yml@main` at the merge commit and pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the actionable gaps flagged by
/automated-assessmentacross theagent-rules,git-workflow,github-project, andenterprise-readinessskill checkpoints.Starting state: 28 pass / 59 fail (7 errors, 45 warnings).
After this PR: 66 pass / 31 fail (4 errors, 11 warnings, 16 info).
Remaining failures are all either checker false positives (script bugs — AG-13 double-escaped regex, GH-24/26 multi-line regex, GH-30/31 command-whitelist rejections), PHP-centric checks that don't apply to this Python project (ER-02
composer audit), external-registration dependent (ER-05 OpenSSF Best Practices badge), or info-level optional sections.What changed
139e9bfSECURITY.md,CHANGELOG.md,.github/CODEOWNERS,.github/PULL_REQUEST_TEMPLATE.md304ddddcodeql.yml(security-extended + security-and-quality),scorecard.yml,dependency-review.yml5c006ab.pre-commit-config.yaml: flake8, black, isort, shellcheck, hygiene hooks28654fae427278Last verifiedfootera593745security.yml(pip-audit + bandit + CycloneDX SBOM) +vendor/in.gitignorea616933step-security/harden-runnerin CodeQL, Scorecard, dependency-review workflows (audit mode)All GitHub Actions SHA-pinned. YAML + bash syntax validated. Full test suite: 546 passed.
Checkpoints covered
Errors: ER-22, GH-11, ER-01, ER-03, GH-19 (+2 false-positive multi-line regex errors remain: GH-24 / GH-26).
Warnings: GW-03, GW-05, GW-06, GW-14, GH-3, GH-5, GH-10, GH-12, ER-04, ER-19, ER-20, ER-21, ER-23, ER-27, ER-44, AG-03 through AG-07, AG-18.
Not in scope
composer audit) — false positives for a Python project.make install-awsfails — missing install_aws.sh script #30, bug:make install-kubectlfails — missing install_kubectl.sh script #31, ER-43) — the checkpoint runner's allowed-command whitelist is overly restrictive; re-check manually if needed.Commands (verified…)heading regex) — checker's YAML parser double-escapes backslashes, making the regex uncompilable. Unfixable content-side.Test plan
uv run pytest— 546 passed, 1 skippedpython3 -c "import yaml; yaml.safe_load(open(f))"on every new/modified workflow/automated-assessmentre-run: 66 pass / 31 fail (was 28/59)