ci: fix gitleaks and bandit jobs in Forgejo Actions
Some checks failed
CI / Security audit (bandit) (pull_request) Failing after 53s
CI / lint (pull_request) Failing after 42s
CI / typecheck (pull_request) Successful in 52s
CI / Secret scan (gitleaks) (pull_request) Failing after 32s
CI / test (pull_request) Successful in 1m10s

- Install git in gitleaks container so checkout works.
- Use hashlib.md5(..., usedforsecurity=False) for content/cache/dedup hashes.
- Add nosec annotations for intentional 0.0.0.0 binds, /tmp paths, and legacy SQL builder.
This commit is contained in:
Crypto Rug Munch 2026-07-03 00:21:31 +02:00
parent cf3b0808a8
commit a83e31dcf7
9 changed files with 9 additions and 9 deletions

View file

@ -125,7 +125,7 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Run gitleaks - name: Run gitleaks
run: | run: |
apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && rm -rf /var/lib/apt/lists/* apt-get update && apt-get install -y --no-install-recommends wget git ca-certificates && rm -rf /var/lib/apt/lists/*
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
gitleaks detect --source . --redact --no-banner gitleaks detect --source . --redact --no-banner

View file

@ -56,7 +56,7 @@ class PryAdvanced:
async def track_diff(self, url: str, new_content: str) -> dict: async def track_diff(self, url: str, new_content: str) -> dict:
"""Compare current content against previous scrape. Returns unified diff. """Compare current content against previous scrape. Returns unified diff.
First scrape returns 'initial', subsequent returns changes.""" First scrape returns 'initial', subsequent returns changes."""
content_hash = hashlib.md5(new_content.encode()).hexdigest() content_hash = hashlib.md5(new_content.encode(), usedforsecurity=False).hexdigest()
if url not in self._diffs: if url not in self._diffs:
self._diffs[url] = [ self._diffs[url] = [

View file

@ -31,7 +31,7 @@ class ResponseCache:
"""Generate cache key from URL + options.""" """Generate cache key from URL + options."""
opt_str = json.dumps(options or {}, sort_keys=True) opt_str = json.dumps(options or {}, sort_keys=True)
raw = f"{url}:{opt_str}" raw = f"{url}:{opt_str}"
return hashlib.md5(raw.encode()).hexdigest() return hashlib.md5(raw.encode(), usedforsecurity=False).hexdigest()
def get(self, url: str, options: dict | None = None) -> dict | None: def get(self, url: str, options: dict | None = None) -> dict | None:
"""Get cached response if fresh.""" """Get cached response if fresh."""

2
cli.py
View file

@ -214,7 +214,7 @@ def cmd_run(pryfile_path="pry.yml"):
print(f" {RED}{NC} {name}{j.get('error', 'failed')}{NC}") print(f" {RED}{NC} {name}{j.get('error', 'failed')}{NC}")
def cmd_serve(host="0.0.0.0", port=8005): def cmd_serve(host="0.0.0.0", port=8005): # nosec B104
"""Start the Pry API server.""" """Start the Pry API server."""
print(f"{CYAN}🔧 Starting Pry v{VERSION} on {host}:{port}{NC}") print(f"{CYAN}🔧 Starting Pry v{VERSION} on {host}:{port}{NC}")
print(f" Dashboard: http://localhost:{port}/dashboard") print(f" Dashboard: http://localhost:{port}/dashboard")

View file

@ -65,7 +65,7 @@ class Settings(BaseSettings):
mcp_tools_count: int = 8 mcp_tools_count: int = 8
# Storage # Storage
screenshot_dir: Path = Path("/tmp/pry-screenshots") screenshot_dir: Path = Path("/tmp/pry-screenshots") # nosec B108
cache_ttl_seconds: int = 3600 cache_ttl_seconds: int = 3600

View file

@ -27,7 +27,7 @@ class SimHash:
return 0 return 0
vector = [0] * n_features vector = [0] * n_features
for token in tokens: for token in tokens:
token_hash = int(hashlib.md5(token.encode()).hexdigest(), 16) token_hash = int(hashlib.md5(token.encode(), usedforsecurity=False).hexdigest(), 16)
for i in range(n_features): for i in range(n_features):
if token_hash & (1 << i): if token_hash & (1 << i):
vector[i] += 1 vector[i] += 1

View file

@ -111,7 +111,7 @@ class PDFTableExtractor:
import camelot import camelot
tables: list[dict[str, Any]] = [] tables: list[dict[str, Any]] = []
tmp_path = "/tmp/_pry_pdf.pdf" tmp_path = "/tmp/_pry_pdf.pdf" # nosec B108
try: try:
with open(tmp_path, "wb") as f: with open(tmp_path, "wb") as f:
f.write(pdf_bytes) f.write(pdf_bytes)

View file

@ -143,7 +143,7 @@ class TransformEngine:
values.append(str(v)) values.append(str(v))
cols = ", ".join(columns) cols = ", ".join(columns)
vals = ", ".join(values) vals = ", ".join(values)
return f"INSERT INTO {table} ({cols}) VALUES ({vals});" return f"INSERT INTO {table} ({cols}) VALUES ({vals});" # nosec B608
@staticmethod @staticmethod
def to_csv(data: list[dict]) -> str: def to_csv(data: list[dict]) -> str:

View file

@ -21,7 +21,7 @@ class PrySettings(BaseSettings):
# Core # Core
url: str = "http://localhost:8002" url: str = "http://localhost:8002"
host: str = "0.0.0.0" host: str = "0.0.0.0" # nosec B104
port: int = 8002 port: int = 8002
# Ollama LLM endpoint # Ollama LLM endpoint