7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
115 lines
5.9 KiB
YAML
115 lines
5.9 KiB
YAML
# Bearer SAST Scanner Configuration
|
|
# https://docs.bearer.com/reference/config/
|
|
#
|
|
# This configuration suppresses false positive alerts that don't apply
|
|
# to this codebase's security model.
|
|
|
|
rule:
|
|
# Skip rules that are false positives in our context
|
|
skip-rule:
|
|
# Logger leak alerts (python_lang_logger)
|
|
# -----------------------------------------
|
|
# SAFE TO SKIP: All logs in this application go to SQLCipher-encrypted
|
|
# per-user databases. Research queries and other logged data are protected by:
|
|
# - SQLCipher encryption at rest (AES-256)
|
|
# - Per-user database isolation (each user has their own encrypted DB)
|
|
# - Password-protected access (only the authenticated user can decrypt)
|
|
#
|
|
# See: src/local_deep_research/utilities/log_utils.py (database_sink)
|
|
# See: src/local_deep_research/database/encrypted_db.py (SQLCipher)
|
|
- python_lang_logger
|
|
|
|
# MD5 weak hash alerts (python_lang_weak_hash_md5)
|
|
# -------------------------------------------------
|
|
# SAFE TO SKIP: MD5 is used only for cache keys and content deduplication,
|
|
# NOT for security purposes (passwords, signatures, etc.). MD5 is acceptable
|
|
# for these non-cryptographic uses where collision resistance is not critical.
|
|
#
|
|
# Usage locations:
|
|
# - research_service.py: Content deduplication hashes
|
|
# - benchmark_service.py: Test result identification
|
|
- python_lang_weak_hash_md5 # DevSkim: ignore DS126858 - this is a rule name, not actual MD5 usage
|
|
|
|
# Path traversal alerts (python_lang_path_traversal)
|
|
# ---------------------------------------------------
|
|
# SAFE TO SKIP: All filesystem operations use werkzeug's safe_join() via
|
|
# PathValidator (src/local_deep_research/security/path_validator.py).
|
|
#
|
|
# The PathValidator class provides:
|
|
# - validate_safe_path(): Uses safe_join() for path sanitization
|
|
# - validate_local_filesystem_path(): Explicit traversal checks + safe_join()
|
|
# - validate_config_path(): Validates config file paths
|
|
# - validate_model_path(): Validates model file paths
|
|
# - sanitize_for_filesystem_ops(): Re-sanitizes for static analyzer recognition
|
|
#
|
|
# All files doing path operations import from security/path_validator.py
|
|
# and use these validation methods before any filesystem access.
|
|
- python_lang_path_traversal
|
|
|
|
# Weak random number generator alerts (python_lang_insecure_random)
|
|
# -----------------------------------------------------------------
|
|
# SAFE TO SKIP: random.random() is used only for non-security purposes:
|
|
# - Jitter in scheduler timing (to avoid thundering herd)
|
|
# - Sampling in profiling/telemetry
|
|
# - Test data generation
|
|
#
|
|
# All cryptographic random needs use secrets module instead.
|
|
- python_lang_insecure_random
|
|
|
|
# Weak random number generator alerts (python_lang_weak_random)
|
|
# --------------------------------------------------------------
|
|
# SAFE TO SKIP: Same rationale as python_lang_insecure_random above.
|
|
# Bearer may report this as an alternative rule name. All 14 instances
|
|
# use random for jitter/scheduling/sampling — never for cryptography.
|
|
- python_lang_weak_random
|
|
|
|
# Gitleaks secret detection alerts (gitleaks)
|
|
# ---------------------------------------------
|
|
# SAFE TO SKIP: Bearer's built-in gitleaks rules flag placeholder URLs
|
|
# (discord://YOUR_WEBHOOK_ID/YOUR_TOKEN), test credentials in CI workflows
|
|
# (postgres:postgres), and example code in documentation files. All real
|
|
# secrets are managed via environment variables and .env files (which are
|
|
# gitignored). The standalone gitleaks scanner with .gitleaks.toml provides
|
|
# more precise coverage.
|
|
- gitleaks
|
|
|
|
# JavaScript innerHTML/XSS alerts (javascript_lang_dangerous_insert_html)
|
|
# -----------------------------------------------------------------------
|
|
# REVIEW REQUIRED: Not globally skipped. XSS protection is implemented via:
|
|
# - escapeHtml() function defined in xss-protection.js
|
|
# - escapeHtml() inline fallbacks in component files
|
|
# - All user data in HTML templates is escaped
|
|
#
|
|
# Files with XSS protection applied (January 2025):
|
|
# - subscriptions.js: Uses escapeHtml() for all user data
|
|
# - news.js: Uses escapeHtml() for all user data
|
|
# - xss-protection.js: Provides global escapeHtml()
|
|
#
|
|
# Individual alerts may still need inline bearer:disable if they are
|
|
# intentional HTML sanitization code or false positives.
|
|
# DO NOT add javascript_lang_dangerous_insert_html here globally.
|
|
|
|
# Manual HTML sanitization alerts (javascript_lang_manual_html_sanitization)
|
|
# --------------------------------------------------------------------------
|
|
# SAFE TO SKIP: All 21 instances are intentional escapeHtml sanitization
|
|
# functions (xss-protection.js, details.js, etc.). Flagging the sanitizer
|
|
# itself is circular — these functions ARE the security control. Deep search
|
|
# found zero partial/incomplete escaping patterns across the codebase.
|
|
- javascript_lang_manual_html_sanitization
|
|
|
|
# Observable timing alerts (javascript_lang_observable_timing)
|
|
# ------------------------------------------------------------
|
|
# SAFE TO SKIP: No client-side secret comparisons exist. All auth is
|
|
# server-side (Flask-WTF CSRF with hmac.compare_digest, SQLCipher decrypt).
|
|
# Only theme names, URL hashes, and keyboard events are compared in JS.
|
|
# Affected: theme.js:349, logpanel.js:272
|
|
- javascript_lang_observable_timing
|
|
|
|
# OS command injection alerts (python_lang_os_command_injection)
|
|
# --------------------------------------------------------------
|
|
# SAFE TO SKIP: 100% of subprocess calls use list syntax (not shell=True).
|
|
# Zero shell=True in production code (7 files verified). All paths are
|
|
# validated by PathValidator. Pattern enforced by existing security tests.
|
|
# Affected: utils/__init__.py:89,97
|
|
- python_lang_os_command_injection
|