Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
version: 2
updates:
# 1. Automatically keep GitHub Actions updated
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
groups:
actions-group:
patterns:
- "*"

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown Warning

This Dependabot configuration does not set a cooldown period. Newly published packages can be malicious or unstable. Add a cooldown block with default-days: 7 to each package-ecosystem entry under updates to wait 7 days before proposing updates to newly published package versions. Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown
Comment on lines +4 to +11

# 2. Keep Pip/Python requirements updated
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
# Groups minor/patch updates to prevent Pull Request fatigue
groups:
python-dependencies:
patterns:
- "*"
update-types:
- "patch"
- "minor"

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown Warning

This Dependabot configuration does not set a cooldown period. Newly published packages can be malicious or unstable. Add a cooldown block with default-days: 7 to each package-ecosystem entry under updates to wait 7 days before proposing updates to newly published package versions. Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown
Comment on lines +14 to +25
94 changes: 94 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
name: Continuous Integration & Security

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
schedule:
- cron: '0 0 * * 1' # Runs automatically every Monday at midnight to catch newly discovered CVEs

permissions:
contents: read
security-events: write # Required to upload findings to GitHub's Security Tab

jobs:
# ----------------------------------------------------
# JOB 1: LINT & TEST
# ----------------------------------------------------
lint-and-test:
name: Lint & Test Suite
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

- name: Lint GitHub Workflows (Prevents runner vulnerabilities)
uses: devops-actions/actionlint@v0.1.3

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

- name: Set up Python (Using uv for ultra-fast package caching)
uses: astral-sh/setup-uv@v5

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
with:
enable-cache: true
python-version: "3.12"

- name: Run Pre-Commit Hooks in CI
uses: pre-commit/action@v3.0.1

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

- name: Install Dependencies
run: uv pip install -e ".[test]" || uv pip install -r requirements.txt || true

- name: Run Pytest
run: |
if [ -d "tests" ]; then
uv run pytest
else
echo "No 'tests' directory found. Skipping tests."
fi

# ----------------------------------------------------
# JOB 2: SEMGREP SAST (Checks code you wrote)
# ----------------------------------------------------
semgrep-sast:
name: Semgrep SAST
runs-on: ubuntu-latest
container:
image: semgrep/semgrep:latest
steps:
- name: Checkout Code
uses: actions/checkout@v4

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

- name: Run Semgrep Scan
run: semgrep scan --config auto --sarif --output=semgrep-results.sarif .

- name: Upload Semgrep results to GitHub Security
uses: github/codeql-action/upload-sarif@v3

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
if: always()
with:
sarif_file: semgrep-results.sarif

# ----------------------------------------------------
# JOB 3: TRIVY SCA (Checks dependencies & Dockerfiles)
# ----------------------------------------------------
trivy-sca:
name: Trivy Dependency & Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

# Pinned securely to v0.36.0 commit SHA to mitigate CVE-2026-33634
- name: Run Trivy File System Scanner
uses: aquasecurity/trivy-action@ed142fda32cedf951e7f3d537877df4c9ba8f192 # v0.36.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'

- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag Warning

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
if: always()
with:
sarif_file: trivy-results.sarif
45 changes: 45 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# .pre-commit-config.yaml
exclude: '^(Machine Learning|Cybersecurity|Papers|Study|Templates|Attachments|Miscellaneous|Inbox|__site|__obsidian|node_modules)/'

repos:
# 1. General Repository Hygiene
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: trailing-whitespace # Trims trailing whitespace
- id: end-of-file-fixer # Ensures files end with a newline
- id: check-yaml # Validates YAML syntax
- id: check-toml # Validates TOML syntax
- id: check-added-large-files # Prevents committing massive files (>1MB)
args: ['--maxkb=1000']
- id: check-merge-conflict # Checks for unresolved merge conflict markers
- id: detect-private-key # Scans for raw private keys

# 3. Secret Leak Prevention (Scanning git history)
- repo: https://github.com/gitleaks/gitleaks
rev: v8.24.0
hooks:
- id: gitleaks

# 4. Fast Python Linting, Formatting, & Security (Ruff)
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.9.0
hooks:
- id: ruff-format # Formatter (replaces Black)
- id: ruff
args: ["--fix"] # Auto-fix safe issues

# 5. Python Static Typing
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.14.0
hooks:
- id: mypy
args: [--ignore-missing-imports]

# 6. Web Assets Formatting (HTML, CSS, JS, Markdown, JSON)
- repo: https://github.com/pre-commit/mirrors-prettier
rev: v4.0.0-alpha.8
hooks:
- id: prettier
types_or: [html, css, javascript, markdown, json]
exclude: '^custom-site-assets/templates/'
28 changes: 19 additions & 9 deletions custom-site-assets/utils.py
Original file line number Diff line number Diff line change
@@ -1,21 +1,26 @@
# mypy: ignore-errors
import json
import math
import os
import re
import shutil
from dataclasses import dataclass
from datetime import datetime

try:
from distutils.util import strtobool
except ImportError:

def strtobool(val):
val = val.lower()
if val in ('y', 'yes', 't', 'true', 'on', '1'):
if val in ("y", "yes", "t", "true", "on", "1"):
return True
elif val in ('n', 'no', 'f', 'false', 'off', '0'):
elif val in ("n", "no", "f", "false", "off", "0"):
return False
else:
raise ValueError(f"invalid truth value {val!r}")


from os import environ
from pathlib import Path
from pprint import PrettyPrinter
Expand Down Expand Up @@ -427,8 +432,13 @@ def sub_file(cls, path: Path):
def get_node_color(url: str) -> str:
url = url.lower()
from urllib.parse import unquote

url = unquote(url)
if "machine-learning" in url or "machine_learning" in url or "machine learning" in url:
if (
"machine-learning" in url
or "machine_learning" in url
or "machine learning" in url
):
return "#5ba3a2" # Sicily Teal
elif "cybersecurity" in url:
return "#4a7bb0" # Steel Blue
Expand Down Expand Up @@ -464,12 +474,12 @@ def parse_graph(nodes: Dict[str, str], edges: List[Tuple[str, str]]):
edge_counts[j] += 1

# Choose the most connected nodes to be colored
top_nodes = {
node_url: i
for i, (node_url, _) in enumerate(
list(sorted(edge_counts.items(), key=lambda k: -k[1]))[: len(PASTEL_COLORS)]
)
}
# top_nodes = {
# node_url: i
# for i, (node_url, _) in enumerate(
# list(sorted(edge_counts.items(), key=lambda k: -k[1]))[: len(PASTEL_COLORS)]
# )
# }

# Generate graph data
graph_info = {
Expand Down
1 change: 1 addition & 0 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
python-slugify>=8.0.0
Loading