ci: fix gitleaks and bandit jobs in Forgejo Actions
Some checks failed
Some checks failed
- Install git in gitleaks container so checkout works. - Use hashlib.md5(..., usedforsecurity=False) for content/cache/dedup hashes. - Add nosec annotations for intentional 0.0.0.0 binds, /tmp paths, and legacy SQL builder.
This commit is contained in:
parent
cf3b0808a8
commit
a83e31dcf7
9 changed files with 9 additions and 9 deletions
|
|
@ -125,7 +125,7 @@ jobs:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Run gitleaks
|
- name: Run gitleaks
|
||||||
run: |
|
run: |
|
||||||
apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && rm -rf /var/lib/apt/lists/*
|
apt-get update && apt-get install -y --no-install-recommends wget git ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||||
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
|
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
|
||||||
gitleaks detect --source . --redact --no-banner
|
gitleaks detect --source . --redact --no-banner
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,7 @@ class PryAdvanced:
|
||||||
async def track_diff(self, url: str, new_content: str) -> dict:
|
async def track_diff(self, url: str, new_content: str) -> dict:
|
||||||
"""Compare current content against previous scrape. Returns unified diff.
|
"""Compare current content against previous scrape. Returns unified diff.
|
||||||
First scrape returns 'initial', subsequent returns changes."""
|
First scrape returns 'initial', subsequent returns changes."""
|
||||||
content_hash = hashlib.md5(new_content.encode()).hexdigest()
|
content_hash = hashlib.md5(new_content.encode(), usedforsecurity=False).hexdigest()
|
||||||
|
|
||||||
if url not in self._diffs:
|
if url not in self._diffs:
|
||||||
self._diffs[url] = [
|
self._diffs[url] = [
|
||||||
|
|
|
||||||
2
cache.py
2
cache.py
|
|
@ -31,7 +31,7 @@ class ResponseCache:
|
||||||
"""Generate cache key from URL + options."""
|
"""Generate cache key from URL + options."""
|
||||||
opt_str = json.dumps(options or {}, sort_keys=True)
|
opt_str = json.dumps(options or {}, sort_keys=True)
|
||||||
raw = f"{url}:{opt_str}"
|
raw = f"{url}:{opt_str}"
|
||||||
return hashlib.md5(raw.encode()).hexdigest()
|
return hashlib.md5(raw.encode(), usedforsecurity=False).hexdigest()
|
||||||
|
|
||||||
def get(self, url: str, options: dict | None = None) -> dict | None:
|
def get(self, url: str, options: dict | None = None) -> dict | None:
|
||||||
"""Get cached response if fresh."""
|
"""Get cached response if fresh."""
|
||||||
|
|
|
||||||
2
cli.py
2
cli.py
|
|
@ -214,7 +214,7 @@ def cmd_run(pryfile_path="pry.yml"):
|
||||||
print(f" {RED}✖{NC} {name} — {j.get('error', 'failed')}{NC}")
|
print(f" {RED}✖{NC} {name} — {j.get('error', 'failed')}{NC}")
|
||||||
|
|
||||||
|
|
||||||
def cmd_serve(host="0.0.0.0", port=8005):
|
def cmd_serve(host="0.0.0.0", port=8005): # nosec B104
|
||||||
"""Start the Pry API server."""
|
"""Start the Pry API server."""
|
||||||
print(f"{CYAN}🔧 Starting Pry v{VERSION} on {host}:{port}{NC}")
|
print(f"{CYAN}🔧 Starting Pry v{VERSION} on {host}:{port}{NC}")
|
||||||
print(f" Dashboard: http://localhost:{port}/dashboard")
|
print(f" Dashboard: http://localhost:{port}/dashboard")
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,7 @@ class Settings(BaseSettings):
|
||||||
mcp_tools_count: int = 8
|
mcp_tools_count: int = 8
|
||||||
|
|
||||||
# Storage
|
# Storage
|
||||||
screenshot_dir: Path = Path("/tmp/pry-screenshots")
|
screenshot_dir: Path = Path("/tmp/pry-screenshots") # nosec B108
|
||||||
cache_ttl_seconds: int = 3600
|
cache_ttl_seconds: int = 3600
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
2
dedup.py
2
dedup.py
|
|
@ -27,7 +27,7 @@ class SimHash:
|
||||||
return 0
|
return 0
|
||||||
vector = [0] * n_features
|
vector = [0] * n_features
|
||||||
for token in tokens:
|
for token in tokens:
|
||||||
token_hash = int(hashlib.md5(token.encode()).hexdigest(), 16)
|
token_hash = int(hashlib.md5(token.encode(), usedforsecurity=False).hexdigest(), 16)
|
||||||
for i in range(n_features):
|
for i in range(n_features):
|
||||||
if token_hash & (1 << i):
|
if token_hash & (1 << i):
|
||||||
vector[i] += 1
|
vector[i] += 1
|
||||||
|
|
|
||||||
|
|
@ -111,7 +111,7 @@ class PDFTableExtractor:
|
||||||
import camelot
|
import camelot
|
||||||
|
|
||||||
tables: list[dict[str, Any]] = []
|
tables: list[dict[str, Any]] = []
|
||||||
tmp_path = "/tmp/_pry_pdf.pdf"
|
tmp_path = "/tmp/_pry_pdf.pdf" # nosec B108
|
||||||
try:
|
try:
|
||||||
with open(tmp_path, "wb") as f:
|
with open(tmp_path, "wb") as f:
|
||||||
f.write(pdf_bytes)
|
f.write(pdf_bytes)
|
||||||
|
|
|
||||||
|
|
@ -143,7 +143,7 @@ class TransformEngine:
|
||||||
values.append(str(v))
|
values.append(str(v))
|
||||||
cols = ", ".join(columns)
|
cols = ", ".join(columns)
|
||||||
vals = ", ".join(values)
|
vals = ", ".join(values)
|
||||||
return f"INSERT INTO {table} ({cols}) VALUES ({vals});"
|
return f"INSERT INTO {table} ({cols}) VALUES ({vals});" # nosec B608
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def to_csv(data: list[dict]) -> str:
|
def to_csv(data: list[dict]) -> str:
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ class PrySettings(BaseSettings):
|
||||||
|
|
||||||
# Core
|
# Core
|
||||||
url: str = "http://localhost:8002"
|
url: str = "http://localhost:8002"
|
||||||
host: str = "0.0.0.0"
|
host: str = "0.0.0.0" # nosec B104
|
||||||
port: int = 8002
|
port: int = 8002
|
||||||
|
|
||||||
# Ollama LLM endpoint
|
# Ollama LLM endpoint
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue