From eeda579112628a370942bdd85d24e8eda6bbd777 Mon Sep 17 00:00:00 2001 From: Imran Siddique <45405841+imran-siddique@users.noreply.github.com> Date: Sat, 4 Jul 2026 12:29:56 -0700 Subject: [PATCH 1/2] ci: add reusable python security workflow (ruff/mypy/bandit/pip-audit/SBOM) Co-Authored-By: Claude Opus 4.8 (1M context) --- .../workflows/reusable-python-security.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/reusable-python-security.yml diff --git a/.github/workflows/reusable-python-security.yml b/.github/workflows/reusable-python-security.yml new file mode 100644 index 0000000..a9457a9 --- /dev/null +++ b/.github/workflows/reusable-python-security.yml @@ -0,0 +1,32 @@ +name: reusable-python-security +on: + workflow_call: + inputs: + python-version: + type: string + default: "3.12" +permissions: + contents: read +jobs: + static-and-deps: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 # TODO: pin to commit SHA before merge + - uses: actions/setup-python@v5 # TODO: pin to commit SHA before merge + with: + python-version: "${{ inputs.python-version }}" + - run: pip install ruff mypy bandit pip-audit cyclonedx-bom + - name: Ruff (lint) + run: ruff check . + - name: Mypy (types) + run: mypy . || true + - name: Bandit (SAST) + run: bandit -r src -ll + - name: pip-audit (SCA) + run: pip-audit + - name: SBOM (CycloneDX) + run: cyclonedx-py environment -o sbom.json || true + - uses: actions/upload-artifact@v4 # TODO: pin to commit SHA before merge + with: + name: sbom + path: sbom.json From 14b6ef02a67b7dc4b37865b26ea23de105411cac Mon Sep 17 00:00:00 2001 From: Imran Siddique <45405841+imran-siddique@users.noreply.github.com> Date: Sat, 4 Jul 2026 12:29:56 -0700 Subject: [PATCH 2/2] docs: add security baseline adoption guide Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/security-baseline.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 docs/security-baseline.md diff --git a/docs/security-baseline.md b/docs/security-baseline.md new file mode 100644 index 0000000..93cb5b4 --- /dev/null +++ b/docs/security-baseline.md @@ -0,0 +1,30 @@ +# agentrust-io security baseline + +Shared security tooling for agentrust-io repositories. + +## Reusable Python security workflow + +`.github/workflows/reusable-python-security.yml` runs ruff (lint), mypy (types), bandit (SAST), pip-audit (SCA), and generates a CycloneDX SBOM. Call it from any Python repo with `.github/workflows/security.yml`: + + name: security + on: + push: { branches: [main] } + pull_request: { branches: [main] } + jobs: + security: + uses: agentrust-io/.github/.github/workflows/reusable-python-security.yml@main + +## Per-repo additions (not centralised) + +Each repo should also carry, matching cmcp / ca2a / agent-manifest: + +- `codeql.yml` (CodeQL SAST) and `scorecard.yml` (OSSF Scorecard) +- `.github/dependabot.yml` (pip + github-actions, weekly) +- `.github/CODEOWNERS` +- a standard `LICENSE` + +Copy-paste versions of these, plus the org-level settings (secret scanning, push protection, Dependabot alerts, and the branch-protection ruleset), are in the internal security hardening bundle. + +## Note + +All third-party actions must be pinned to a commit SHA before merge. The reusable workflow currently uses version tags marked with `TODO`.