-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: security ci to check vulnerability in superset added for superset #24491
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@villebro have you guys checked ? |
It seems this PR slipped off our collective radar. It's still an interesting idea, but seems to have failed CI because of the added test itself. Maybe we can set some stuff to warn instead of error, or clean up the errors to get it through? In any case, I'm closing and reopening to reboot CI, since the logs have vanished. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use something like this reusable action to simplify things? -> https://github.com/PyCQA/bandit-action
Also I think those checks are not deterministic, meaning as security report roll in, it can break master
and unrelated/open PRs semi-randomly which has pros/cons.
My personal vote would be to trigger:
- on PRs that touch dependencies (package-lock or requirements/)
- maybe on a nightly or weekly schedule - though we'd need to raise an alert, ideally would email to
[email protected]
or similar
Hi, @rusackas thanks for looking at it. |
So say if I open a super simple PR fixing a typo, it shouldn't be held back because a vulnerability was found in some package that's completely unrelated to my PR. If we run bandit on every PR it means all of the open PRs (say all 300+ of them open right now) would start failing CI for things totally out of scope/knowledge for all these contributors. Also, once it's fixed in master by some PR, all other 300+ PRs now need to be rebased to pass the checks. I also don't think we want That's why I'm suggesting a workflow on a schedule (say @daily, which is supported by GHA) that notifies committers through email ([email protected]), but doesn't break ongoing unrelated to PRs or the builds on |
@mistercrunch agreed with it, a scheduled workflow is fine. I will do these changes
|
Yes exactly! Here's an example of using Given bandit is python-only, I think the path you want to add is |
SUMMARY
Security ci contains the following modules which detect the vulnerabilities
-> Bandit
-> PIP Audit
-> safety
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION