nas-burnin

brandon/nas-burnin

Fork 0

Commit graph

Author	SHA1	Message	Date
Brandon Walter	8ae84862de	infra: rename truenas-burnin → nas-burnin (1.0.0-41) Some checks are pending Security scan / pip-audit (push) Waiting to run Details Security scan / bandit (push) Waiting to run Details Security scan / gitleaks (push) Waiting to run Details Security scan / mypy (push) Waiting to run Details Matches the 1.0.0-38 product display rename. Touches every infrastructure identifier: - container_name: truenas-burnin → nas-burnin - forge URL in /api/v1/updates/check - security-scan: REPO_URL, REPO, DEPLOY_DIR, systemd unit description - run-tests.sh default container name - doc paths in README/SPEC/CLAUDE - in-app instruction strings (login.html, settings.html, auth_cli.py) Maple migration done in lockstep: docker compose down (truenas-burnin) mv ~/docker/stacks/{truenas-burnin,nas-burnin} systemd unit ExecStart updated + daemon-reload docker compose up -d --build → container nas-burnin Old image truenas-burnin-app removed (~12 GB reclaimed) Stale top-level orphans cleaned (config.py, poller.py, routes.py, truenas.py, tests/) — all dead since pre-split refactors Forge repo rename (git.hellocomputer.xyz/brandon/truenas-burnin → nas-burnin) is a separate UI-only step. Forgejo redirects the old URL after rename, so this commit can be pushed to the existing remote first; remote URL gets updated locally once you rename.	2026-05-04 07:16:02 -07:00
Brandon Walter	1a19252019	feat: daily security scan — pip-audit + bandit + gitleaks (1.0.0-24) Some checks are pending Security scan / pip-audit (push) Waiting to run Details Security scan / bandit (push) Waiting to run Details Security scan / gitleaks (push) Waiting to run Details Two layers of defence-in-depth scanning: * `.forgejo/workflows/security-scan.yml` — runs pip-audit, bandit, and gitleaks on every push, every PR, and nightly at 07:00 UTC. Activates when the forge has a runner; harmless no-op until then. Bandit is invoked with `--skip B608` because every dynamic SQL build in this codebase uses bound parameters for data and structural placeholders only — we still catch real injection through code review. * `scripts/security-scan.sh` + systemd `service`/`timer` — maple-side daily scanner that runs the same three tools entirely in containers (no host pollution). Differences from the forge job: - pip-audit runs INSIDE the live container against installed packages, catching new CVEs in transitives requirements.txt doesn't pin (e.g. starlette breaking changes shipping in 1.0). - bandit scans the LIVE deploy dir at ~/docker/stacks/truenas-burnin/app/, not a fresh git checkout — so drift between forge HEAD and prod surfaces here too. - gitleaks scans a managed clone in ~/scan-checkouts/, kept fast-forward to origin/main. Output: ~/security-scans/scan-YYYY-MM-DD/{summary,pip-audit,bandit, gitleaks}.txt with 30-day retention. ~/security-scans/findings.log appended on any non-zero exit. SECURITY_SCAN_WEBHOOK env in the service unit lets you POST findings to Mattermost / Slack / etc. once you decide where alerts should land. First-run findings already actioned in this commit: * pip-audit caught 3 CVEs in `pip` itself (CVE-2025-8869, CVE-2026-1703, CVE-2026-3219). Dockerfile now upgrades pip to >=26.0 before installing the rest. * bandit's B608 SQL-injection heuristic flagged two f-string SQL constructions in `_upsert_drive` and `_fetch_drives_for_template`. Both were structural concatenation (column-list selection, '?,?,?' placeholder count), not data interpolation, but refactored from f-string to explicit concatenation so a future reviewer doesn't have to relitigate. * bandit's B104 (binding to 0.0.0.0) annotated with inline `# nosec B104` — container deliberately binds all interfaces; nginx-proxy- manager fronts it. * gitleaks: 0 secrets across 14 commits. Clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 17:07:22 -04:00

Author

SHA1

Message

Date

Brandon Walter

8ae84862de

infra: rename truenas-burnin → nas-burnin (1.0.0-41)

Security scan / pip-audit (push) Waiting to run

Details

Security scan / bandit (push) Waiting to run

Details

Security scan / gitleaks (push) Waiting to run

Details

Security scan / mypy (push) Waiting to run

Details

Matches the 1.0.0-38 product display rename. Touches every
infrastructure identifier:

- container_name: truenas-burnin → nas-burnin
- forge URL in /api/v1/updates/check
- security-scan: REPO_URL, REPO, DEPLOY_DIR, systemd unit description
- run-tests.sh default container name
- doc paths in README/SPEC/CLAUDE
- in-app instruction strings (login.html, settings.html, auth_cli.py)

Maple migration done in lockstep:
  docker compose down (truenas-burnin)
  mv ~/docker/stacks/{truenas-burnin,nas-burnin}
  systemd unit ExecStart updated + daemon-reload
  docker compose up -d --build → container nas-burnin
  Old image truenas-burnin-app removed (~12 GB reclaimed)
  Stale top-level orphans cleaned (config.py, poller.py, routes.py,
  truenas.py, tests/) — all dead since pre-split refactors

Forge repo rename (git.hellocomputer.xyz/brandon/truenas-burnin →
nas-burnin) is a separate UI-only step. Forgejo redirects the old
URL after rename, so this commit can be pushed to the existing
remote first; remote URL gets updated locally once you rename.

2026-05-04 07:16:02 -07:00

Brandon Walter

1a19252019

feat: daily security scan — pip-audit + bandit + gitleaks (1.0.0-24)

Security scan / pip-audit (push) Waiting to run

Details

Security scan / bandit (push) Waiting to run

Details

Security scan / gitleaks (push) Waiting to run

Details

Two layers of defence-in-depth scanning:

* `.forgejo/workflows/security-scan.yml` — runs pip-audit, bandit, and
  gitleaks on every push, every PR, and nightly at 07:00 UTC. Activates
  when the forge has a runner; harmless no-op until then. Bandit is
  invoked with `--skip B608` because every dynamic SQL build in this
  codebase uses bound parameters for data and structural placeholders
  only — we still catch real injection through code review.

* `scripts/security-scan.sh` + systemd `service`/`timer` — maple-side
  daily scanner that runs the same three tools entirely in containers
  (no host pollution). Differences from the forge job:
    - pip-audit runs INSIDE the live container against installed
      packages, catching new CVEs in transitives requirements.txt
      doesn't pin (e.g. starlette breaking changes shipping in 1.0).
    - bandit scans the LIVE deploy dir at
      ~/docker/stacks/truenas-burnin/app/, not a fresh git checkout —
      so drift between forge HEAD and prod surfaces here too.
    - gitleaks scans a managed clone in ~/scan-checkouts/, kept
      fast-forward to origin/main.
  Output: ~/security-scans/scan-YYYY-MM-DD/{summary,pip-audit,bandit,
  gitleaks}.txt with 30-day retention. ~/security-scans/findings.log
  appended on any non-zero exit. SECURITY_SCAN_WEBHOOK env in the
  service unit lets you POST findings to Mattermost / Slack / etc. once
  you decide where alerts should land.

First-run findings already actioned in this commit:

* pip-audit caught 3 CVEs in `pip` itself (CVE-2025-8869,
  CVE-2026-1703, CVE-2026-3219). Dockerfile now upgrades pip to
  >=26.0 before installing the rest.

* bandit's B608 SQL-injection heuristic flagged two f-string SQL
  constructions in `_upsert_drive` and `_fetch_drives_for_template`.
  Both were structural concatenation (column-list selection,
  '?,?,?' placeholder count), not data interpolation, but refactored
  from f-string to explicit concatenation so a future reviewer
  doesn't have to relitigate.

* bandit's B104 (binding to 0.0.0.0) annotated with inline `# nosec
  B104` — container deliberately binds all interfaces; nginx-proxy-
  manager fronts it.

* gitleaks: 0 secrets across 14 commits. Clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 17:07:22 -04:00

2 commits