nas-burnin

brandon/nas-burnin

Fork 0

Commit graph

Author	SHA1	Message	Date
Brandon Walter	1a19252019	feat: daily security scan — pip-audit + bandit + gitleaks (1.0.0-24) Some checks are pending Security scan / pip-audit (push) Waiting to run Details Security scan / bandit (push) Waiting to run Details Security scan / gitleaks (push) Waiting to run Details Two layers of defence-in-depth scanning: * `.forgejo/workflows/security-scan.yml` — runs pip-audit, bandit, and gitleaks on every push, every PR, and nightly at 07:00 UTC. Activates when the forge has a runner; harmless no-op until then. Bandit is invoked with `--skip B608` because every dynamic SQL build in this codebase uses bound parameters for data and structural placeholders only — we still catch real injection through code review. * `scripts/security-scan.sh` + systemd `service`/`timer` — maple-side daily scanner that runs the same three tools entirely in containers (no host pollution). Differences from the forge job: - pip-audit runs INSIDE the live container against installed packages, catching new CVEs in transitives requirements.txt doesn't pin (e.g. starlette breaking changes shipping in 1.0). - bandit scans the LIVE deploy dir at ~/docker/stacks/truenas-burnin/app/, not a fresh git checkout — so drift between forge HEAD and prod surfaces here too. - gitleaks scans a managed clone in ~/scan-checkouts/, kept fast-forward to origin/main. Output: ~/security-scans/scan-YYYY-MM-DD/{summary,pip-audit,bandit, gitleaks}.txt with 30-day retention. ~/security-scans/findings.log appended on any non-zero exit. SECURITY_SCAN_WEBHOOK env in the service unit lets you POST findings to Mattermost / Slack / etc. once you decide where alerts should land. First-run findings already actioned in this commit: * pip-audit caught 3 CVEs in `pip` itself (CVE-2025-8869, CVE-2026-1703, CVE-2026-3219). Dockerfile now upgrades pip to >=26.0 before installing the rest. * bandit's B608 SQL-injection heuristic flagged two f-string SQL constructions in `_upsert_drive` and `_fetch_drives_for_template`. Both were structural concatenation (column-list selection, '?,?,?' placeholder count), not data interpolation, but refactored from f-string to explicit concatenation so a future reviewer doesn't have to relitigate. * bandit's B104 (binding to 0.0.0.0) annotated with inline `# nosec B104` — container deliberately binds all interfaces; nginx-proxy- manager fronts it. * gitleaks: 0 secrets across 14 commits. Clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 17:07:22 -04:00
Brandon Walter	b73b5251ae	Initial commit — TrueNAS Burn-In Dashboard v0.5.0 Full-stack burn-in orchestration dashboard (Stages 1–6d complete): FastAPI backend, SQLite/WAL, SSE live dashboard, mock TrueNAS server, SMTP/webhook notifications, batch burn-in, settings UI, audit log, stats page, cancel SMART/burn-in, drag-to-reorder stages. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-24 00:08:29 -05:00

Author

SHA1

Message

Date

Brandon Walter

1a19252019

feat: daily security scan — pip-audit + bandit + gitleaks (1.0.0-24)

Security scan / pip-audit (push) Waiting to run

Details

Security scan / bandit (push) Waiting to run

Details

Security scan / gitleaks (push) Waiting to run

Details

Two layers of defence-in-depth scanning:

* `.forgejo/workflows/security-scan.yml` — runs pip-audit, bandit, and
  gitleaks on every push, every PR, and nightly at 07:00 UTC. Activates
  when the forge has a runner; harmless no-op until then. Bandit is
  invoked with `--skip B608` because every dynamic SQL build in this
  codebase uses bound parameters for data and structural placeholders
  only — we still catch real injection through code review.

* `scripts/security-scan.sh` + systemd `service`/`timer` — maple-side
  daily scanner that runs the same three tools entirely in containers
  (no host pollution). Differences from the forge job:
    - pip-audit runs INSIDE the live container against installed
      packages, catching new CVEs in transitives requirements.txt
      doesn't pin (e.g. starlette breaking changes shipping in 1.0).
    - bandit scans the LIVE deploy dir at
      ~/docker/stacks/truenas-burnin/app/, not a fresh git checkout —
      so drift between forge HEAD and prod surfaces here too.
    - gitleaks scans a managed clone in ~/scan-checkouts/, kept
      fast-forward to origin/main.
  Output: ~/security-scans/scan-YYYY-MM-DD/{summary,pip-audit,bandit,
  gitleaks}.txt with 30-day retention. ~/security-scans/findings.log
  appended on any non-zero exit. SECURITY_SCAN_WEBHOOK env in the
  service unit lets you POST findings to Mattermost / Slack / etc. once
  you decide where alerts should land.

First-run findings already actioned in this commit:

* pip-audit caught 3 CVEs in `pip` itself (CVE-2025-8869,
  CVE-2026-1703, CVE-2026-3219). Dockerfile now upgrades pip to
  >=26.0 before installing the rest.

* bandit's B608 SQL-injection heuristic flagged two f-string SQL
  constructions in `_upsert_drive` and `_fetch_drives_for_template`.
  Both were structural concatenation (column-list selection,
  '?,?,?' placeholder count), not data interpolation, but refactored
  from f-string to explicit concatenation so a future reviewer
  doesn't have to relitigate.

* bandit's B104 (binding to 0.0.0.0) annotated with inline `# nosec
  B104` — container deliberately binds all interfaces; nginx-proxy-
  manager fronts it.

* gitleaks: 0 secrets across 14 commits. Clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 17:07:22 -04:00

Brandon Walter

b73b5251ae

Initial commit — TrueNAS Burn-In Dashboard v0.5.0

Full-stack burn-in orchestration dashboard (Stages 1–6d complete):
FastAPI backend, SQLite/WAL, SSE live dashboard, mock TrueNAS server,
SMTP/webhook notifications, batch burn-in, settings UI, audit log,
stats page, cancel SMART/burn-in, drag-to-reorder stages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-02-24 00:08:29 -05:00

2 commits