Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

115 lines
5.9 KiB
YAML

# Bearer SAST Scanner Configuration
# https://docs.bearer.com/reference/config/
#
# This configuration suppresses false positive alerts that don't apply
# to this codebase's security model.
rule:
# Skip rules that are false positives in our context
skip-rule:
# Logger leak alerts (python_lang_logger)
# -----------------------------------------
# SAFE TO SKIP: All logs in this application go to SQLCipher-encrypted
# per-user databases. Research queries and other logged data are protected by:
# - SQLCipher encryption at rest (AES-256)
# - Per-user database isolation (each user has their own encrypted DB)
# - Password-protected access (only the authenticated user can decrypt)
#
# See: src/local_deep_research/utilities/log_utils.py (database_sink)
# See: src/local_deep_research/database/encrypted_db.py (SQLCipher)
- python_lang_logger
# MD5 weak hash alerts (python_lang_weak_hash_md5)
# -------------------------------------------------
# SAFE TO SKIP: MD5 is used only for cache keys and content deduplication,
# NOT for security purposes (passwords, signatures, etc.). MD5 is acceptable
# for these non-cryptographic uses where collision resistance is not critical.
#
# Usage locations:
# - research_service.py: Content deduplication hashes
# - benchmark_service.py: Test result identification
- python_lang_weak_hash_md5 # DevSkim: ignore DS126858 - this is a rule name, not actual MD5 usage
# Path traversal alerts (python_lang_path_traversal)
# ---------------------------------------------------
# SAFE TO SKIP: All filesystem operations use werkzeug's safe_join() via
# PathValidator (src/local_deep_research/security/path_validator.py).
#
# The PathValidator class provides:
# - validate_safe_path(): Uses safe_join() for path sanitization
# - validate_local_filesystem_path(): Explicit traversal checks + safe_join()
# - validate_config_path(): Validates config file paths
# - validate_model_path(): Validates model file paths
# - sanitize_for_filesystem_ops(): Re-sanitizes for static analyzer recognition
#
# All files doing path operations import from security/path_validator.py
# and use these validation methods before any filesystem access.
- python_lang_path_traversal
# Weak random number generator alerts (python_lang_insecure_random)
# -----------------------------------------------------------------
# SAFE TO SKIP: random.random() is used only for non-security purposes:
# - Jitter in scheduler timing (to avoid thundering herd)
# - Sampling in profiling/telemetry
# - Test data generation
#
# All cryptographic random needs use secrets module instead.
- python_lang_insecure_random
# Weak random number generator alerts (python_lang_weak_random)
# --------------------------------------------------------------
# SAFE TO SKIP: Same rationale as python_lang_insecure_random above.
# Bearer may report this as an alternative rule name. All 14 instances
# use random for jitter/scheduling/sampling — never for cryptography.
- python_lang_weak_random
# Gitleaks secret detection alerts (gitleaks)
# ---------------------------------------------
# SAFE TO SKIP: Bearer's built-in gitleaks rules flag placeholder URLs
# (discord://YOUR_WEBHOOK_ID/YOUR_TOKEN), test credentials in CI workflows
# (postgres:postgres), and example code in documentation files. All real
# secrets are managed via environment variables and .env files (which are
# gitignored). The standalone gitleaks scanner with .gitleaks.toml provides
# more precise coverage.
- gitleaks
# JavaScript innerHTML/XSS alerts (javascript_lang_dangerous_insert_html)
# -----------------------------------------------------------------------
# REVIEW REQUIRED: Not globally skipped. XSS protection is implemented via:
# - escapeHtml() function defined in xss-protection.js
# - escapeHtml() inline fallbacks in component files
# - All user data in HTML templates is escaped
#
# Files with XSS protection applied (January 2025):
# - subscriptions.js: Uses escapeHtml() for all user data
# - news.js: Uses escapeHtml() for all user data
# - xss-protection.js: Provides global escapeHtml()
#
# Individual alerts may still need inline bearer:disable if they are
# intentional HTML sanitization code or false positives.
# DO NOT add javascript_lang_dangerous_insert_html here globally.
# Manual HTML sanitization alerts (javascript_lang_manual_html_sanitization)
# --------------------------------------------------------------------------
# SAFE TO SKIP: All 21 instances are intentional escapeHtml sanitization
# functions (xss-protection.js, details.js, etc.). Flagging the sanitizer
# itself is circular — these functions ARE the security control. Deep search
# found zero partial/incomplete escaping patterns across the codebase.
- javascript_lang_manual_html_sanitization
# Observable timing alerts (javascript_lang_observable_timing)
# ------------------------------------------------------------
# SAFE TO SKIP: No client-side secret comparisons exist. All auth is
# server-side (Flask-WTF CSRF with hmac.compare_digest, SQLCipher decrypt).
# Only theme names, URL hashes, and keyboard events are compared in JS.
# Affected: theme.js:349, logpanel.js:272
- javascript_lang_observable_timing
# OS command injection alerts (python_lang_os_command_injection)
# --------------------------------------------------------------
# SAFE TO SKIP: 100% of subprocess calls use list syntax (not shell=True).
# Zero shell=True in production code (7 files verified). All paths are
# validated by PathValidator. Pattern enforced by existing security tests.
# Affected: utils/__init__.py:89,97
- python_lang_os_command_injection