Semgrep-based Policy controller for Kubernetes.
@@ -9,18 +10,19 @@ Semgrep-based Policy controller for Kubernetes.
Admission controller to use your well-known publicly available or custom Semgrep rules to validate k8s resources before deployment to the cluster.
-:hammer_and_wrench: developed by [](https://securesystems.de/)
+:hammer_and_wrench: developed by
-:zap: powered by [](https://semgrep.dev)
+:zap: powered by
-> :warning: semgr8s is in a proof-of-concept state. Do not use in production. Breaking changes, service interruptions, and development flow adjustments are expected.
+> :warning: Semgr8s is in a proof-of-concept state. Do not use in production. Breaking changes, service interruptions, and development flow adjustments are expected.
+
+### :point_right: More? Read the [docs](https://semgr8ns.github.io/semgr8s/latest/).
## Getting started
Getting started to validate Kubernetes resources against Semgrep rules is only a matter of minutes:
-
### Requirements
@@ -28,9 +30,6 @@ Getting started to validate Kubernetes resources against Semgrep rules is only a
- Kubernetes cluster for testing (e.g. [kind](https://kind.sigs.k8s.io/), [microk8s](https://microk8s.io/docs), or [minikube](https://minikube.sigs.k8s.io/docs/start/))
- [kubectl](https://kubernetes.io/docs/reference/kubectl/)
- [Helm](https://helm.sh/)
-- *(optional)* [yq v4.x](https://mikefarah.gitbook.io/yq/)
-- *(optional)* [make](https://www.gnu.org/software/make/) (e.g. via [build-essential](https://packages.ubuntu.com/focal/build-essential))
-- *(optional)* [docker](https://docs.docker.com/get-docker/)
### Get Code
@@ -72,7 +71,7 @@ helm install semgr8s charts/semgr8s --create-namespace --namespace semgr8ns
```
-You can check successful deployment of semgr8s via:
+You can check successful deployment of Semgr8s via:
```bash
kubectl get all -n semgr8ns
@@ -95,7 +94,7 @@ kubectl get all -n semgr8ns
```
-Once all resources are in `READY` state, you have successfully installed semgr8s :rocket:
+Once all resources are in `READY` state, you have successfully installed Semgr8s :rocket:
### Testing
diff --git a/charts/semgr8s/Chart.yaml b/charts/semgr8s/Chart.yaml
index 4df0d13..64e897c 100644
--- a/charts/semgr8s/Chart.yaml
+++ b/charts/semgr8s/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
name: semgr8s
description: Semgrep-based Policy Controller for Kubernetes
type: application
-version: "0.1.16"
-appVersion: "0.1.16"
+version: "0.1.17"
+appVersion: "0.1.17"
keywords:
- kubernetes
- admission controller
diff --git a/docs/README.md b/docs/README.md
deleted file mode 120000
index 32d46ee..0000000
--- a/docs/README.md
+++ /dev/null
@@ -1 +0,0 @@
-../README.md
\ No newline at end of file
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 0000000..6bf2437
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,292 @@
+---
+glightbox-manual: true
+---
+
+
+
+
+
+Semgrep-based Policy controller for Kubernetes.
+
+Admission controller to use your well-known publicly available or custom Semgrep rules to validate k8s resources before deployment to the cluster.
+
+:hammer_and_wrench: developed by [](https://securesystems.de/)
+
+:zap: powered by [](https://semgrep.dev)
+
+> :warning: semgr8s is in a proof-of-concept state. Do not use in production. Breaking changes, service interruptions, and development flow adjustments are expected.
+
+## Quick start
+
+Getting started to validate Kubernetes resources against Semgrep rules is only a matter of minutes:
+
+{ .on-glb }
+
+### Requirements
+
+- [git](https://git-scm.com/)
+- Kubernetes cluster for testing (e.g. [kind](https://kind.sigs.k8s.io/), [microk8s](https://microk8s.io/docs), or [minikube](https://minikube.sigs.k8s.io/docs/start/))
+- [kubectl](https://kubernetes.io/docs/reference/kubectl/)
+- [Helm](https://helm.sh/)
+
+### Installation
+
+Installation files are contained within the source code repository:
+
+```bash
+git clone https://github.com/semgr8ns/semgr8s.git
+cd semgr8s
+```
+
+Semgr8s comes preconfigured with some basic rules.
+However, configuration can be adjusted to your needs:
+
+- Central configuration is maintained in `charts/semgr8s/values.yaml`.
+- Configuration aims to provide the most native integration of Semgrep's functionality into Kubernetes. Working knowledge of Kubernetes and the [Semgrep documentation](https://semgrep.dev/docs/) should be sufficient to understand the concepts and options being used here.
+- [Remote Semgrep](https://registry.semgrep.dev/rule) rules, rulesets, [repository rules](https://github.com/returntocorp/semgrep-rules) are configured via `.application.remoteRules` in `charts/semgr8s/values.yaml`, e.g. set to `"r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation"` or `"p/kubernetes"`, or `"r/yaml.kubernetes"` respectively.
+- [Custom Semgrep rules](https://semgrep.dev/docs/writing-rules/overview/) can placed in `charts/semgr8s/rules/` and will be auto-mounted into the admission controller.
+- Semgrep provides online tools to [learn](https://semgrep.dev/learn) and [create](https://semgrep.dev/playground/new) custom rules.
+
+To deploy the preconfigured admission controller simply run:
+
+```bash
+helm install semgr8s charts/semgr8s --create-namespace --namespace semgr8ns
+```
+
+ output
+
+ ```bash
+ NAME: semgr8s
+ LAST DEPLOYED: Tue Apr 25 00:16:04 2023
+ NAMESPACE: semgr8ns
+ STATUS: deployed
+ REVISION: 1
+ TEST SUITE: None
+ NOTES:
+ Successfully installed semgr8s!
+ ```
+
+
+You can check successful deployment of semgr8s via:
+
+```bash
+kubectl get all -n semgr8ns
+```
+
+ output
+
+ ```bash
+ NAME READY STATUS RESTARTS AGE
+ pod/semgr8s-665dbb8756-qhqv6 1/1 Running 0 7s
+
+ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+ service/semgr8s-service ClusterIP 10.96.135.157 443/TCP 7s
+
+ NAME READY UP-TO-DATE AVAILABLE AGE
+ deployment.apps/semgr8s 1/1 1 1 7s
+
+ NAME DESIRED CURRENT READY AGE
+ replicaset.apps/semgr8s-665dbb8756 1 1 1 7s
+ ```
+
+
+Once all resources are in `READY` state, you have successfully installed semgr8s :rocket:
+
+### Testing
+
+Several test resources are provided under `tests/demo/`.
+Semgr8s only validates resources in namespaces with label `semgr8s/validation=enabled`:
+
+```bash
+kubectl apply -f tests/demo/00_test-namespace.yaml
+```
+
+ output
+
+ ```bash
+ namespace/test-semgr8s created
+ ```
+
+
+It denies creating pods with non-compliant configuration according to the local rules in `charts/semgr8s/rules` and `.application.remoteRules` `charts/semgr8s/values.yaml`:
+
+```bash
+kubectl apply -f tests/demo/40_failing-deployment.yaml
+```
+
+ output
+
+ ```bash
+ Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
+ * rules.test-semgr8s-forbidden-label
+ Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
+ * yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container
+ Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
+ * yaml.kubernetes.security.privileged-container.privileged-container
+ Error from server: error when creating "tests/demo/40_failing-deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies:
+ * yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod
+ ```
+
+
+Compliantly configured resources on the other hand are permitted to the cluster:
+
+```bash
+kubectl apply -f tests/demo/20_passing-deployment.yaml
+```
+
+ output
+
+ ```bash
+ pod/passing-testpod-1 created
+ ```
+
+
+
+### Cleanup
+
+To remove all resources of the admission controller run:
+
+```bash
+helm uninstall semgr8s -n semgr8ns
+kubectl delete ns semgr8ns
+```
+
+ output
+
+ ```bash
+ release "semgr8s" uninstalled
+ ```
+
+
+Test resources are deleted via:
+
+```bash
+kubectl delete -f tests/demo/
+```
+
+ output
+
+ ```bash
+ namespace "test-semgr8s" deleted
+ pod "passing-testpod-1" deleted
+ Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "forbiddenlabel-pod" not found
+ Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-1" not found
+ Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-2" not found
+ Error from server (NotFound): error when deleting "tests/demo/40_failing-deployment.yaml": pods "failing-testpod-3" not found
+
+ ```
+
+
+## Next steps
+
+Excited about Semgr8s? Here is some next steps:
+
+* :books: For more details, checkout the [Concept](https://semgr8ns.github.io/semgr8s/latest/concept/) or [Usage](https://semgr8ns.github.io/semgr8s/latest/usage/)
+* :writing_hand: To share feedback, reach out via [GitHub Discussions](https://github.com/semgr8ns/semgr8s/discussions)
+* :bug: Report bugs via [GitHub Issues](https://github.com/semgr8ns/semgr8s/issues)
+
+## Management
+
+### Compatibility
+
+Semgr8s is expected to be compatible with most common Kubernetes services.
+It supports all maintained Kubernets versions and is actively tested against versions v1.20 and higher.
+
+In case you identify any incompatibilities, please [create an issue](https://github.com/semgr8ns/semgr8s/issues/new/choose) :hearts:
+
+### Versions
+
+The latest stable version of Semgr8s is available on the [`main`](https://github.com/semgr8ns/semgr8s) branch.
+[Releases](https://github.com/semgr8ns/semgr8s/tags) follow [semantic versioning](https://semver.org/) standards to facilitate compatibility.
+For each release, a signed container image tagged with the version is published in the [Semgr8s GitHub Container Registry](https://github.com/semgr8ns/semgr8s/pkgs/container/semgr8s) (GHCR).
+Latest developments are available on the [`dev`](https://github.com/semgr8ns/semgr8s/tree/dev) branch, but should be considered unstable and a pre-built container image is provided with `dev` tag.
+
+### Artifacts
+
+Semgr8s employs an automated build pipeline that publishes artifacts to GHCR.
+Container images are available via:
+
+```bash
+docker pull ghcr.io/semgr8ns/semgr8s:main # (1)!
+```
+
+1. Use your tag of interest, e.g. `v0.1.16`.
+
+Images are signed using keyless sigstore [OIDC signatures](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect) including provenance and SBOM data:
+
+
+```bash
+cosign tree ghcr.io/semgr8ns/semgr8s:main # (1)!
+```
+
+1. Use your tag of interest, e.g. `v0.1.16`.
+
+
+ output
+
+ ```bash
+ 📦 Supply Chain Security Related artifacts for an image: ghcr.io/semgr8ns/semgr8s:main
+ └── 💾 Attestations for an image tag: ghcr.io/semgr8ns/semgr8s:sha256-e372107c1856ab76f44658e263c30a8ab5afe296c95ded498afde9596d1c9e12.att
+ └── 🍒 sha256:1d3677b036cfeb233aed550029a689468a0ceb6c9c495315fbb789f6f386b627
+ └── 🔐 Signatures for an image tag: ghcr.io/semgr8ns/semgr8s:sha256-e372107c1856ab76f44658e263c30a8ab5afe296c95ded498afde9596d1c9e12.sig
+ └── 🍒 sha256:3eea0c4186f4a88658bee01dbff07bcc9f4605fadfcb7a02a9387ad223c7d23e
+
+ ```
+
+
+Verify via signatures via:
+
+```bash hl_lines="5"
+cosign verify \
+ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+ --certificate-identity-regexp '^https://github\.com/semgr8ns/semgr8s/' \
+ --certificate-github-workflow-repository 'semgr8ns/semgr8s' \
+ ghcr.io/semgr8ns/semgr8s:main # (1)!
+```
+
+1. Use your tag of interest, e.g. `v0.1.16`.
+
+Download verified SBOM in `cyclonedx-json` format:
+
+```bash hl_lines="5"
+cosign verify-attestation --type cyclonedx \
+ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+ --certificate-identity-regexp '^https://github\.com/semgr8ns/semgr8s/' \
+ --certificate-github-workflow-repository 'semgr8ns/semgr8s' \
+ ghcr.io/semgr8ns/semgr8s:main | # (1)!
+ jq -r '.payload' | base64 -d | jq '.predicate' \
+ > sbom.cdx
+```
+
+1. Use your tag of interest, e.g. `v0.1.16`.
+
+Helm charts themselves are shared via the [GitHub repository](https://github.com/semgr8ns/semgr8s/tree/main/charts/semgr8s).
+
+### Development
+
+Semgr8s is *open source* and *open development*.
+We aim to announce major developments via [GitHub Discussions](https://github.com/semgr8ns/semgr8s/discussions/categories/announcements).
+Information on responsible disclosure of vulnerabilities and tracking of past findings is available in the [Security Policy](./SECURITY.md).
+Bug reports should be filed as [GitHub issues](https://github.com/semgr8ns/semgr8s/issues/new) to share status and potential fixes with other users.
+Contributions should be provided as pull requests against the `dev` branch.
+
+We hope to get as many direct contributions and insights from the community as possible to steer further development :rocket:
+
+## Wall of fame
+
+Thanks to all the fine people directly contributing commits/PRs to Semgr8s:
+
+
+
+
+
+Big shout-out also to all who support the project via issues, discussions and feature requests :pray:
+
+## Resources
+
+Several Semgr8s resources are available:
+
+- [:octicons-mark-github-16: Semgr8s repository](https://github.com/semgr8ns/semgr8s)
+- [:fontawesome-solid-box: Semgr8s container registry](https://github.com/semgr8ns/semgr8s/pkgs/container/semgr8s)
+- [:fontawesome-solid-book: Semgr8s documentation](https://semgr8ns.github.io/semgr8s/latest/)
+- [:fontawesome-solid-message: Semgr8s discussions](https://github.com/semgr8ns/semgr8s/discussions)
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
new file mode 100644
index 0000000..174c797
--- /dev/null
+++ b/docs/SECURITY.md
@@ -0,0 +1,16 @@
+# Security Policy
+
+## Supported versions
+
+While all known vulnerabilities in the Semgr8s application are listed below and we intent to fix vulnerabilities as soon as we become aware, both, Python and OS packages of the Semgr8s image may become vulnerable over time and we suggest to frequently update to the latest version or rebuilding the image from source yourself.
+At present, we only support the latest version.
+We stick to semantic versioning, so unless the major version changes, updating Semgr8s should never break your installation.
+
+## Known vulnerabilities
+
+Known vulnerabilities are published after resolution under [GitHub Security](https://github.com/semgr8ns/semgr8s/security).
+
+## Reporting a vulnerability
+
+We are very grateful for reports on vulnerabilities discovered in the project, specifically as it is intended to increase security for the community.
+We aim to investigate and fix these as soon as possible. Please submit vulnerabilities via [GitHub Vulnerability Reporting](https://github.com/semgr8ns/semgr8s/security/advisories/new).
diff --git a/docs/assets/semgr8s-demo.gif b/docs/assets/semgr8s-demo.gif
index 2b221fc..9cf20f1 100644
Binary files a/docs/assets/semgr8s-demo.gif and b/docs/assets/semgr8s-demo.gif differ
diff --git a/docs/concept.md b/docs/concept.md
index b80b8a2..7ac8351 100644
--- a/docs/concept.md
+++ b/docs/concept.md
@@ -26,7 +26,7 @@ Accordingly, the Kube API then either persists the (modified) requests to etcd f
## Architecture & Design
-
+{data-gallery="light"}{data-gallery="dark"}
Semgr8s is developed for installation via [helm](https://helm.sh/) to setup the required Kubernetes resources.
However, rendering of Kubernetes manifests for usage with `kubectl apply` is expected to work as well.
@@ -65,7 +65,7 @@ The Semgr8s application logic performs the following core functions:
* mutate admission requests
* update local rules
-
+{data-gallery="light"}{data-gallery="dark"}
Semgrep is designed to scan files and consequently Semgr8s application logic manages rules, request and results data as files.
As the container file system is configured as `readOnlyRootFilesystem`, corresponding volumes (`/app/rules/`, `/app/data`) and additional Semgrep folders (`/.semgrep/`, `/.cache`, `/tmp`) are provided via volume mounts.
diff --git a/docs/examples/template-autofix-rule.md b/docs/examples/template-autofix-rule.md
index badf9f0..fb8ed97 100644
--- a/docs/examples/template-autofix-rule.md
+++ b/docs/examples/template-autofix-rule.md
@@ -1,6 +1,6 @@
# Template autofix rule
-Template rule demonstrating minimal syntax for [autofix rules](usage.md#autofix) at the example of a forbidden test mapping that is removed upon fixing.
+Template rule demonstrating minimal syntax for [autofix rules](../usage.md#autofix) at the example of a forbidden test mapping that is removed upon fixing.
## Use rule
diff --git a/docs/javascripts/tablesort.js b/docs/javascripts/tablesort.js
new file mode 100644
index 0000000..3ecbfa2
--- /dev/null
+++ b/docs/javascripts/tablesort.js
@@ -0,0 +1,7 @@
+document$.subscribe(function() {
+ var tables = document.querySelectorAll("article table:not([class])")
+ tables.forEach(function(table) {
+ new Tablesort(table)
+ })
+})
+
diff --git a/mkdocs.yml b/mkdocs.yml
index 569e261..40dc3f5 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -48,6 +48,7 @@ theme:
logo: 'assets/semgr8s-logo-single.png'
favicon: 'assets/semgr8s-logo-single.png'
features:
+ - content.code.annotate
- content.code.copy
- content.code.select
- navigation.top
@@ -57,6 +58,8 @@ markdown_extensions:
- admonition
- codehilite
- footnotes
+ - attr_list
+ - meta
- pymdownx.details
- pymdownx.emoji:
emoji_index: !!python/name:material.extensions.emoji.twemoji
@@ -73,6 +76,10 @@ markdown_extensions:
permalink: ⚓︎
# Plugins
+plugins:
+ - glightbox:
+ skip_classes:
+ - skip-lightbox
# Extras
extra_javascript:
diff --git a/poetry.lock b/poetry.lock
index d634fa9..17ac21b 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -956,6 +956,17 @@ mergedeep = ">=1.3.4"
platformdirs = ">=2.2.0"
pyyaml = ">=5.1"
+[[package]]
+name = "mkdocs-glightbox"
+version = "0.4.0"
+description = "MkDocs plugin supports image lightbox with GLightbox."
+optional = false
+python-versions = "*"
+files = [
+ {file = "mkdocs-glightbox-0.4.0.tar.gz", hash = "sha256:392b34207bf95991071a16d5f8916d1d2f2cd5d5bb59ae2997485ccd778c70d9"},
+ {file = "mkdocs_glightbox-0.4.0-py3-none-any.whl", hash = "sha256:e0107beee75d3eb7380ac06ea2d6eac94c999eaa49f8c3cbab0e7be2ac006ccf"},
+]
+
[[package]]
name = "mkdocs-material"
version = "9.5.24"
@@ -1653,16 +1664,16 @@ pbr = "*"
[[package]]
name = "semgrep"
-version = "1.73.0"
+version = "1.74.0"
description = "Lightweight static analysis for many languages. Find bug variants with patterns that look like source code."
optional = false
python-versions = ">=3.8"
files = [
- {file = "semgrep-1.73.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-any.whl", hash = "sha256:35295eced0a1f7e544b1ecf2a5b212ef82e5f8a3ff35bff3a805ae9bbb5da0c7"},
- {file = "semgrep-1.73.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_10_14_x86_64.whl", hash = "sha256:8cef07d304a35b7e329f1f96374a0ff26a6e02c7ccbdaec7f3a820ef65abb016"},
- {file = "semgrep-1.73.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_11_0_arm64.whl", hash = "sha256:122cf1ad323b6f8a92a7c9cbc170a7bc9a8ac198deefe597cb0e73f9893a6ef4"},
- {file = "semgrep-1.73.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-musllinux_1_0_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b724ac87e08b7222515e9af8a096bf87a661d05c3c73e10375234d47039f2a98"},
- {file = "semgrep-1.73.0.tar.gz", hash = "sha256:bd39868e74813657a763146c36d899498e12ca0bdcfc84438b0d22b310be63e1"},
+ {file = "semgrep-1.74.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-any.whl", hash = "sha256:640e4a95b48b902d08246ab22b45e1b83291c79dfdf3bbdfe77bd2334cf00fd9"},
+ {file = "semgrep-1.74.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_10_14_x86_64.whl", hash = "sha256:3a8ac35d0d2860757c68fbbda3575001ddb6bbbf3f123a54580db23d81b44bd1"},
+ {file = "semgrep-1.74.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-macosx_11_0_arm64.whl", hash = "sha256:83cb052e1d95f4d0c8bc064e68384ca45c4aa9b4bf4b578a7a9e2fd6f94e3a8f"},
+ {file = "semgrep-1.74.0-cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311-none-musllinux_1_0_aarch64.manylinux2014_aarch64.whl", hash = "sha256:687abceeece4f53b6794c0df012eb8f76a1c5d12521dd0629e783486edb12dab"},
+ {file = "semgrep-1.74.0.tar.gz", hash = "sha256:1872234796ad6196e84d2195d5b8462187eb2fa164e305cd5a61d4b00703d432"},
]
[package.dependencies]
@@ -1804,40 +1815,43 @@ test = ["coverage", "flake8 (>=3.7)", "mypy", "pretend", "pytest"]
[[package]]
name = "watchdog"
-version = "4.0.0"
+version = "4.0.1"
description = "Filesystem events monitoring"
optional = false
python-versions = ">=3.8"
files = [
- {file = "watchdog-4.0.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:39cb34b1f1afbf23e9562501673e7146777efe95da24fab5707b88f7fb11649b"},
- {file = "watchdog-4.0.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c522392acc5e962bcac3b22b9592493ffd06d1fc5d755954e6be9f4990de932b"},
- {file = "watchdog-4.0.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:6c47bdd680009b11c9ac382163e05ca43baf4127954c5f6d0250e7d772d2b80c"},
- {file = "watchdog-4.0.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:8350d4055505412a426b6ad8c521bc7d367d1637a762c70fdd93a3a0d595990b"},
- {file = "watchdog-4.0.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c17d98799f32e3f55f181f19dd2021d762eb38fdd381b4a748b9f5a36738e935"},
- {file = "watchdog-4.0.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4986db5e8880b0e6b7cd52ba36255d4793bf5cdc95bd6264806c233173b1ec0b"},
- {file = "watchdog-4.0.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:11e12fafb13372e18ca1bbf12d50f593e7280646687463dd47730fd4f4d5d257"},
- {file = "watchdog-4.0.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:5369136a6474678e02426bd984466343924d1df8e2fd94a9b443cb7e3aa20d19"},
- {file = "watchdog-4.0.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:76ad8484379695f3fe46228962017a7e1337e9acadafed67eb20aabb175df98b"},
- {file = "watchdog-4.0.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:45cc09cc4c3b43fb10b59ef4d07318d9a3ecdbff03abd2e36e77b6dd9f9a5c85"},
- {file = "watchdog-4.0.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:eed82cdf79cd7f0232e2fdc1ad05b06a5e102a43e331f7d041e5f0e0a34a51c4"},
- {file = "watchdog-4.0.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:ba30a896166f0fee83183cec913298151b73164160d965af2e93a20bbd2ab605"},
- {file = "watchdog-4.0.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:d18d7f18a47de6863cd480734613502904611730f8def45fc52a5d97503e5101"},
- {file = "watchdog-4.0.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:2895bf0518361a9728773083908801a376743bcc37dfa252b801af8fd281b1ca"},
- {file = "watchdog-4.0.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:87e9df830022488e235dd601478c15ad73a0389628588ba0b028cb74eb72fed8"},
- {file = "watchdog-4.0.0-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:6e949a8a94186bced05b6508faa61b7adacc911115664ccb1923b9ad1f1ccf7b"},
- {file = "watchdog-4.0.0-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:6a4db54edea37d1058b08947c789a2354ee02972ed5d1e0dca9b0b820f4c7f92"},
- {file = "watchdog-4.0.0-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:d31481ccf4694a8416b681544c23bd271f5a123162ab603c7d7d2dd7dd901a07"},
- {file = "watchdog-4.0.0-py3-none-manylinux2014_aarch64.whl", hash = "sha256:8fec441f5adcf81dd240a5fe78e3d83767999771630b5ddfc5867827a34fa3d3"},
- {file = "watchdog-4.0.0-py3-none-manylinux2014_armv7l.whl", hash = "sha256:6a9c71a0b02985b4b0b6d14b875a6c86ddea2fdbebd0c9a720a806a8bbffc69f"},
- {file = "watchdog-4.0.0-py3-none-manylinux2014_i686.whl", hash = "sha256:557ba04c816d23ce98a06e70af6abaa0485f6d94994ec78a42b05d1c03dcbd50"},
- {file = "watchdog-4.0.0-py3-none-manylinux2014_ppc64.whl", hash = "sha256:d0f9bd1fd919134d459d8abf954f63886745f4660ef66480b9d753a7c9d40927"},
- {file = "watchdog-4.0.0-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:f9b2fdca47dc855516b2d66eef3c39f2672cbf7e7a42e7e67ad2cbfcd6ba107d"},
- {file = "watchdog-4.0.0-py3-none-manylinux2014_s390x.whl", hash = "sha256:73c7a935e62033bd5e8f0da33a4dcb763da2361921a69a5a95aaf6c93aa03a87"},
- {file = "watchdog-4.0.0-py3-none-manylinux2014_x86_64.whl", hash = "sha256:6a80d5cae8c265842c7419c560b9961561556c4361b297b4c431903f8c33b269"},
- {file = "watchdog-4.0.0-py3-none-win32.whl", hash = "sha256:8f9a542c979df62098ae9c58b19e03ad3df1c9d8c6895d96c0d51da17b243b1c"},
- {file = "watchdog-4.0.0-py3-none-win_amd64.whl", hash = "sha256:f970663fa4f7e80401a7b0cbeec00fa801bf0287d93d48368fc3e6fa32716245"},
- {file = "watchdog-4.0.0-py3-none-win_ia64.whl", hash = "sha256:9a03e16e55465177d416699331b0f3564138f1807ecc5f2de9d55d8f188d08c7"},
- {file = "watchdog-4.0.0.tar.gz", hash = "sha256:e3e7065cbdabe6183ab82199d7a4f6b3ba0a438c5a512a68559846ccb76a78ec"},
+ {file = "watchdog-4.0.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:da2dfdaa8006eb6a71051795856bedd97e5b03e57da96f98e375682c48850645"},
+ {file = "watchdog-4.0.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:e93f451f2dfa433d97765ca2634628b789b49ba8b504fdde5837cdcf25fdb53b"},
+ {file = "watchdog-4.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:ef0107bbb6a55f5be727cfc2ef945d5676b97bffb8425650dadbb184be9f9a2b"},
+ {file = "watchdog-4.0.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:17e32f147d8bf9657e0922c0940bcde863b894cd871dbb694beb6704cfbd2fb5"},
+ {file = "watchdog-4.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:03e70d2df2258fb6cb0e95bbdbe06c16e608af94a3ffbd2b90c3f1e83eb10767"},
+ {file = "watchdog-4.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:123587af84260c991dc5f62a6e7ef3d1c57dfddc99faacee508c71d287248459"},
+ {file = "watchdog-4.0.1-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:093b23e6906a8b97051191a4a0c73a77ecc958121d42346274c6af6520dec175"},
+ {file = "watchdog-4.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:611be3904f9843f0529c35a3ff3fd617449463cb4b73b1633950b3d97fa4bfb7"},
+ {file = "watchdog-4.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:62c613ad689ddcb11707f030e722fa929f322ef7e4f18f5335d2b73c61a85c28"},
+ {file = "watchdog-4.0.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:d4925e4bf7b9bddd1c3de13c9b8a2cdb89a468f640e66fbfabaf735bd85b3e35"},
+ {file = "watchdog-4.0.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:cad0bbd66cd59fc474b4a4376bc5ac3fc698723510cbb64091c2a793b18654db"},
+ {file = "watchdog-4.0.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:a3c2c317a8fb53e5b3d25790553796105501a235343f5d2bf23bb8649c2c8709"},
+ {file = "watchdog-4.0.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:c9904904b6564d4ee8a1ed820db76185a3c96e05560c776c79a6ce5ab71888ba"},
+ {file = "watchdog-4.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:667f3c579e813fcbad1b784db7a1aaa96524bed53437e119f6a2f5de4db04235"},
+ {file = "watchdog-4.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:d10a681c9a1d5a77e75c48a3b8e1a9f2ae2928eda463e8d33660437705659682"},
+ {file = "watchdog-4.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:0144c0ea9997b92615af1d94afc0c217e07ce2c14912c7b1a5731776329fcfc7"},
+ {file = "watchdog-4.0.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:998d2be6976a0ee3a81fb8e2777900c28641fb5bfbd0c84717d89bca0addcdc5"},
+ {file = "watchdog-4.0.1-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:e7921319fe4430b11278d924ef66d4daa469fafb1da679a2e48c935fa27af193"},
+ {file = "watchdog-4.0.1-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:f0de0f284248ab40188f23380b03b59126d1479cd59940f2a34f8852db710625"},
+ {file = "watchdog-4.0.1-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:bca36be5707e81b9e6ce3208d92d95540d4ca244c006b61511753583c81c70dd"},
+ {file = "watchdog-4.0.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:ab998f567ebdf6b1da7dc1e5accfaa7c6992244629c0fdaef062f43249bd8dee"},
+ {file = "watchdog-4.0.1-py3-none-manylinux2014_aarch64.whl", hash = "sha256:dddba7ca1c807045323b6af4ff80f5ddc4d654c8bce8317dde1bd96b128ed253"},
+ {file = "watchdog-4.0.1-py3-none-manylinux2014_armv7l.whl", hash = "sha256:4513ec234c68b14d4161440e07f995f231be21a09329051e67a2118a7a612d2d"},
+ {file = "watchdog-4.0.1-py3-none-manylinux2014_i686.whl", hash = "sha256:4107ac5ab936a63952dea2a46a734a23230aa2f6f9db1291bf171dac3ebd53c6"},
+ {file = "watchdog-4.0.1-py3-none-manylinux2014_ppc64.whl", hash = "sha256:6e8c70d2cd745daec2a08734d9f63092b793ad97612470a0ee4cbb8f5f705c57"},
+ {file = "watchdog-4.0.1-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:f27279d060e2ab24c0aa98363ff906d2386aa6c4dc2f1a374655d4e02a6c5e5e"},
+ {file = "watchdog-4.0.1-py3-none-manylinux2014_s390x.whl", hash = "sha256:f8affdf3c0f0466e69f5b3917cdd042f89c8c63aebdb9f7c078996f607cdb0f5"},
+ {file = "watchdog-4.0.1-py3-none-manylinux2014_x86_64.whl", hash = "sha256:ac7041b385f04c047fcc2951dc001671dee1b7e0615cde772e84b01fbf68ee84"},
+ {file = "watchdog-4.0.1-py3-none-win32.whl", hash = "sha256:206afc3d964f9a233e6ad34618ec60b9837d0582b500b63687e34011e15bb429"},
+ {file = "watchdog-4.0.1-py3-none-win_amd64.whl", hash = "sha256:7577b3c43e5909623149f76b099ac49a1a01ca4e167d1785c76eb52fa585745a"},
+ {file = "watchdog-4.0.1-py3-none-win_ia64.whl", hash = "sha256:d7b9f5f3299e8dd230880b6c55504a1f69cf1e4316275d1b215ebdd8187ec88d"},
+ {file = "watchdog-4.0.1.tar.gz", hash = "sha256:eebaacf674fa25511e8867028d281e602ee6500045b57f43b08778082f7f8b44"},
]
[package.extras]
@@ -1892,4 +1906,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more
[metadata]
lock-version = "2.0"
python-versions = "^3.12"
-content-hash = "fde32ccfbbb8c7c0922669e3d98626788efecf9f90a5ada158a5ebaa2e8260fd"
+content-hash = "c3f556114cbf79a993d6d04577cdaef543619e808d44dd3a39429808094e7467"
diff --git a/pyproject.toml b/pyproject.toml
index 1616171..7bb3316 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -10,7 +10,7 @@ python = "^3.12"
APScheduler = "3.10.4"
Flask = "3.0.3"
PyYAML = "6.0.1"
-semgrep = "1.73.0"
+semgrep = "1.74.0"
jsonpatch = "1.33"
cheroot = "10.0.1"
@@ -19,6 +19,7 @@ optional = false
[tool.poetry.group.docs.dependencies]
mkdocs-material = "9.5.24"
+mkdocs-glightbox = "0.4.0"
mike = "2.1.1"
[tool.poetry.group.dev]
+
