Skip to content

Add security scanning CI (CodeQL, pip-audit, Dependabot) and pre-commit#92

Open
ivan-pinatti wants to merge 5 commits into
AlfredoSequeida:mainfrom
ivan-pinatti:main
Open

Add security scanning CI (CodeQL, pip-audit, Dependabot) and pre-commit#92
ivan-pinatti wants to merge 5 commits into
AlfredoSequeida:mainfrom
ivan-pinatti:main

Conversation

@ivan-pinatti
Copy link
Copy Markdown

@ivan-pinatti ivan-pinatti commented Mar 5, 2026
edited
Loading

Summary

Implements the security scanning proposal from #91.

Adds free, automated security scanning at two levels:

CI (GitHub Actions)

  • CodeQL — SAST for Python; finds logic bugs, injection flaws, unsafe API usage. Results appear in Security > Code scanning.
  • pip-audit — fully installs the project (including PyGObject) in a clean Ubuntu runner with system libs, then scans all dependencies including transitive ones against the OSV database for known CVEs.
  • Dependabot — opens PRs automatically when pip dependencies or GitHub Actions versions have updates.

Local (pre-commit)

  • bandit — SAST on staged Python files before each commit; immediate local feedback without waiting for CI.
  • pip-audit — scans direct dependencies from requirements.txt against the OSV database before each commit.
    • PyGObject is excluded from requirements.txt: it requires gobject-introspection system headers to build metadata, which are not universally available locally. It is fully covered by pip-audit in CI.
    • Transitive dependency CVEs are covered by pip-audit in CI.

Files added / modified

File Purpose
.github/workflows/security.yml CodeQL + pip-audit CI jobs
.github/dependabot.yml Weekly dependency update checks
.pre-commit-config.yaml bandit SAST + pip-audit hooks (local)
requirements.txt Direct dependencies for local pip-audit (mirrors setup.py install_requires)
README.md Expanded Contributing/Development section with pre-commit setup instructions

Trigger conditions (CI)

  • Push or PR to main
  • Weekly schedule (Mondays 06:00 UTC)
  • Manual via workflow_dispatch

Pre-existing findings

bandit surfaced the following in the existing codebase (not introduced by this PR):

  • shell=True in subprocess calls (hints.py, setup.py, plasmashell.py, others) — CWE-78
  • pickle.loads from a Unix domain socket (mouse.py, mouse_service.py) — CWE-502
  • Hardcoded /tmp socket path (constants.py) — CWE-377

These are reported for the maintainer's awareness. The pre-commit hook runs only on staged files so it won't block existing workflows.

All tooling is free for public repositories — no external accounts or tokens required. All CI jobs have been validated on the fork before this PR.

@ivan-pinatti
Add security scanning CI (CodeQL, pip-audit, Dependabot)
0a39f55 
Adds three free security layers for the public repo:
- CodeQL SAST for Python logic bugs and unsafe API usage
- pip-audit dependency scan against OSV database for CVEs
- Dependabot for automated dependency and Actions version updates

Closes: AlfredoSequeida#91
@ivan-pinatti
Use CodeQL Action v4 (v3 deprecated Dec 2026)
ea388c3
@ivan-pinatti
Add bandit pre-commit hook for local security scanning
2a24740 
Adds bandit (SAST) as a pre-commit hook for catching security issues
in Python code locally before push. Runs only on staged files by default.

Existing findings in the codebase (shell=True, pickle.loads, /tmp socket
path) are pre-existing and for the maintainer to review separately.

pip-audit is intentionally CI-only: installing this project requires
system libs (libgirepository, Cairo) unavailable in pre-commit's
isolated environment.
@ivan-pinatti
Add pip-audit pre-commit hook and requirements.txt
d61edab 
Adds local dependency vulnerability scanning via pip-audit alongside the
existing bandit SAST hook. requirements.txt mirrors setup.py install_requires
and is used by pip-audit with --no-deps to avoid dependency resolution.

PyGObject is excluded from requirements.txt: it requires gobject-introspection
system headers to build metadata, which are not universally available locally.
It is fully covered by pip-audit in CI where system libs are installed.

Transitive dependency CVEs are also covered by CI.
@ivan-pinatti
Expand Contributing section with pre-commit setup instructions
16d5733
@AlfredoSequeida
Copy link
Copy Markdown
Owner

AlfredoSequeida commented May 9, 2026

Hey, thank you for the ci updates. I think this is a good idea to keep better code quality.

One suggestion: Can we change this to not used a requirements.txt file? I know that is very common place, but I rather keep the requirements in a single place instead of duplicating them and the requirements already exist as part of the setup.py file.

@ivan-pinatti
Copy link
Copy Markdown
Author

ivan-pinatti commented May 11, 2026

Hi @AlfredoSequeida,

I agree that duplicating dependencies between requirements.txt and setup.py is not ideal.

This PR was mainly intended as a proof of concept to introduce the CI/code quality workflow and start the discussion around improving the project tooling. Longer term, I think it would make sense to migrate dependency management to a more modern and centralized approach, either fully using requirements.txt with pinned/dev dependencies separated properly, or preferably moving toward a pyproject.toml-based setup.

I’d be happy to collaborate on that refactor as a follow-up improvement if you think it fits the direction of the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ivan-pinatti @AlfredoSequeida