Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 23 additions & 3 deletions src/app/portfolio_truth.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
load_live_repo_status_by_name,
load_release_count_by_name,
load_repo_status_from_audit_by_name,
load_security_alerts_by_name,
load_security_coverage_by_full_name,
)
from src.producer_preflight import load_producer_evidence

Expand Down Expand Up @@ -53,11 +53,30 @@ def run_portfolio_truth_mode(args: Any) -> None:
username=args.username,
)
security_alerts_by_name: dict[str, dict] | None = None
security_coverage_metadata: dict[str, object] | None = None
if getattr(args, "portfolio_truth_include_security", False):
security_alerts_by_name = load_security_alerts_by_name(
receipt_path_value = getattr(args, "portfolio_truth_security_receipt", None)
loaded_security = load_security_coverage_by_full_name(
output_dir=output_dir,
username=args.username,
receipt_path=Path(receipt_path_value) if receipt_path_value else None,
max_age_hours=getattr(
args, "portfolio_truth_security_max_age_hours", 24
),
)
if loaded_security is not None:
security_alerts_by_name = loaded_security.entries_by_full_name
security_coverage_metadata = {
"source_id": "github-security-coverage-receipt",
"schema_version": loaded_security.schema_version,
"produced_at": loaded_security.produced_at,
"state": loaded_security.receipt_state,
"age_hours": loaded_security.age_hours,
"cohort_policy": loaded_security.cohort_policy,
"cohort_repository_count": len(
loaded_security.cohort_repositories
),
"path": loaded_security.source_path,
}
repo_status_by_name = load_live_repo_status_by_name(
username=args.username,
token=getattr(args, "token", None),
Expand All @@ -80,6 +99,7 @@ def run_portfolio_truth_mode(args: Any) -> None:
allow_empty_notion=getattr(args, "portfolio_truth_allow_empty_notion", False),
release_count_by_name=release_count_by_name,
security_alerts_by_name=security_alerts_by_name,
security_coverage_metadata=security_coverage_metadata,
repo_status_by_name=repo_status_by_name,
producer_evidence=producer_evidence,
producer_repo_root=producer_repo_root,
Expand Down
2 changes: 2 additions & 0 deletions src/app/security_modes.py
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,10 @@
max_age_hours=getattr(args, "max_age_hours", None),
)
if getattr(args, "json", False):
# lgtm[py/clear-text-logging-sensitive-data] Count-only alert summary; no secret values.
print(json.dumps(report.to_dict(), indent=2))

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (secret)
as clear text.
else:
# lgtm[py/clear-text-logging-sensitive-data] Count-only alert summary; no secret values.
print(render_security_gate_markdown(report))

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (secret)
as clear text.
This expression logs
sensitive data (secret)
as clear text.
if not report.passed:
raise SystemExit(1)
24 changes: 17 additions & 7 deletions src/cache.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,32 +2,40 @@

import hashlib
import json
import re
import time
from urllib.parse import parse_qsl, urlparse
from pathlib import Path
from typing import Any
from urllib.parse import parse_qsl, urlparse

CACHE_DIR = Path("output/.cache")
CACHE_TTL = 3600 # 1 hour
_SENSITIVE_FIELD_NAMES = frozenset(
{
"access_token",
"api_key",
"apikey",
"authorization",
"api_key",
"apikey",
"authorization",
"client_secret",
"credential",
"password",
"private_key",
"password",
"private_key",
"github_token",
"secret",
"token",
}
)
_SENSITIVE_VALUE_PATTERNS = (
re.compile(r"\bAKIA[0-9A-Z]{16}\b"),
re.compile(r"\bgh[pousr]_[A-Za-z0-9]{36,}\b"),
re.compile(r"\bgithub_pat_[A-Za-z0-9_]{20,}\b"),
re.compile(r"\bxox[bpors]-[A-Za-z0-9-]{10,}\b"),
re.compile(r"-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----"),
)


def contains_sensitive_data(value: Any) -> bool:
"""Return whether JSON-compatible data contains a credential field."""
"""Return whether JSON-compatible data contains credential data."""
if isinstance(value, dict):
return any(
str(key).lower() in _SENSITIVE_FIELD_NAMES or contains_sensitive_data(item)
Expand All @@ -37,6 +45,8 @@ def contains_sensitive_data(value: Any) -> bool:
return any(contains_sensitive_data(item) for item in value)
if isinstance(value, tuple):
return any(contains_sensitive_data(item) for item in value)
if isinstance(value, str):
return any(pattern.search(value) for pattern in _SENSITIVE_VALUE_PATTERNS)
Comment on lines +48 to +49

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Apply scalar secret checks to cached URLs

The new scalar detector catches token-shaped strings in params and response, but ResponseCache.put still only checks URL query names via _url_has_sensitive_query(url) and then persists the raw url field. If a fully composed URL contains a credential-shaped value under a benign key, such as a copied search or next-page URL with ?q=ghp_..., it bypasses this new pattern block and is written to output/.cache; run the same scalar check over the URL string or parsed query values before writing.

Useful? React with 👍 / 👎.

return False


Expand Down
41 changes: 38 additions & 3 deletions src/cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,28 @@ def _build_report_subparser(subparsers: argparse._SubParsersAction) -> None: #
p.add_argument(
"--portfolio-truth", action="store_true", help="Generate canonical portfolio truth snapshot"
)
p.add_argument(
"--portfolio-truth-include-security",
action="store_true",
help=(
"Overlay security coverage from the validated "
"github-security-coverage-latest.json receipt"
),
)
p.add_argument(
"--portfolio-truth-security-receipt",
type=str,
default=None,
metavar="PATH",
help="Explicit provenance-bearing GitHub security receipt path",
)
p.add_argument(
"--portfolio-truth-security-max-age-hours",
type=int,
default=24,
metavar="HOURS",
help="Freshness window for GitHub security observations (default: 24)",
)
p.add_argument(
"--portfolio-truth-allow-empty-notion",
action="store_true",
Expand Down Expand Up @@ -683,11 +705,24 @@ def build_parser() -> argparse.ArgumentParser:
"--portfolio-truth-include-security",
action="store_true",
help=(
"Overlay the security.* GHAS alert counts on each project from the latest "
"output/ghas-alerts-<username>-*.json file, feeding the active-high-severity-alerts "
"risk factor (requires a prior `audit report --ghas-alerts` run)"
"Overlay security coverage from the validated "
"github-security-coverage-latest.json receipt"
),
)
parser.add_argument(
"--portfolio-truth-security-receipt",
type=str,
default=None,
metavar="PATH",
help="Explicit provenance-bearing GitHub security receipt path",
)
parser.add_argument(
"--portfolio-truth-security-max-age-hours",
type=int,
default=24,
metavar="HOURS",
help="Freshness window for GitHub security observations (default: 24)",
)
parser.add_argument(
"--portfolio-truth-allow-empty-notion",
action="store_true",
Expand Down
Loading