diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml index 2a4c92d..3639ffc 100644 --- a/.github/workflows/docker-stable.yml +++ b/.github/workflows/docker-stable.yml @@ -6,39 +6,46 @@ on: description: 'Version to mark as stable (e.g., 1.2.3)' required: true +permissions: + contents: read + jobs: stable: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Check if version exists in PyPI id: version_check + env: + INPUT_VERSION: ${{ inputs.version }} run: | - if ! curl -s -f https://pypi.org/pypi/socketsecurity/${{ inputs.version }}/json > /dev/null; then - echo "Error: Version ${{ inputs.version }} not found on PyPI" + if ! curl -s -f "https://pypi.org/pypi/socketsecurity/${INPUT_VERSION}/json" > /dev/null; then + echo "Error: Version ${INPUT_VERSION} not found on PyPI" exit 1 fi - echo "Version ${{ inputs.version }} found on PyPI - proceeding with release" + echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release" - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to Docker Hub with Organization Token - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Stable Docker - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: push: true platforms: linux/amd64,linux/arm64 tags: socketdev/cli:stable build-args: | CLI_VERSION=${{ inputs.version }} - \ No newline at end of file + diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index c5426fb..03584f6 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -6,6 +6,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: e2e-scan: if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository @@ -14,6 +17,7 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 with: @@ -56,6 +60,7 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 with: @@ -96,6 +101,7 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 with: diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index c14f190..1d7115a 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -15,6 +15,7 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 with: python-version: '3.13' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 99372b6..5549b88 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,7 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 with: python-version: '3.13' @@ -26,11 +27,13 @@ jobs: - name: Get Version id: version + env: + REF_NAME: ${{ github.ref_name }} run: | RAW_VERSION=$(hatch version) echo "VERSION=$RAW_VERSION" >> $GITHUB_ENV - if [ "v$RAW_VERSION" != "${{ github.ref_name }}" ]; then - echo "Error: Git tag (${{ github.ref_name }}) does not match hatch version (v$RAW_VERSION)" + if [ "v$RAW_VERSION" != "$REF_NAME" ]; then + echo "Error: Git tag ($REF_NAME) does not match hatch version (v$RAW_VERSION)" exit 1 fi @@ -52,7 +55,7 @@ jobs: env: VERSION: ${{ env.VERSION }} run: | - if curl -s -f "https://hub.docker.com/v2/repositories/socketdev/cli/tags/${{ env.VERSION }}" > /dev/null; then + if curl -s -f "https://hub.docker.com/v2/repositories/socketdev/cli/tags/${VERSION}" > /dev/null; then echo "Docker image socketdev/cli:${VERSION} already exists" echo "docker_exists=true" >> $GITHUB_OUTPUT else @@ -113,4 +116,4 @@ jobs: socketdev/cli:latest socketdev/cli:${{ env.VERSION }} build-args: | - CLI_VERSION=${{ env.VERSION }} \ No newline at end of file + CLI_VERSION=${{ env.VERSION }} diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 3276e73..5b9bda8 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -7,6 +7,11 @@ on: - 'setup.py' - 'pyproject.toml' +permissions: + contents: read + pull-requests: write + issues: write + jobs: check_version: runs-on: ubuntu-latest @@ -14,6 +19,7 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 # Fetch all history for all branches + persist-credentials: false - name: Check version increment id: version_check diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..39d1b18 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + secrets-outside-env: + disable: true diff --git a/README.md b/README.md index ef84057..7929189 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Socket Python CLI for Socket scans, diff reporting, reachability analysis, and SARIF/GitLab exports. -Comprehensive docs are available in [`docs/`](docs/) for full flag reference, CI/CD-specific guidance, and contributor setup. +Comprehensive docs are available in [`docs/`](https://github.com/SocketDev/socket-python-cli/tree/main/docs) for full flag reference, CI/CD-specific guidance, and contributor setup. ## Quick start @@ -27,8 +27,8 @@ socketcli --target-path . ## Common use cases This section covers the paved path/common workflows. -For advanced options and exhaustive details, see [`docs/cli-reference.md`](docs/cli-reference.md). -For CI/CD-specific guidance, see [`docs/ci-cd.md`](docs/ci-cd.md). +For advanced options and exhaustive details, see [`docs/cli-reference.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/cli-reference.md). +For CI/CD-specific guidance, see [`docs/ci-cd.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/ci-cd.md). ### Basic policy scan (no SARIF) @@ -91,7 +91,7 @@ socketcli \ Dashboard parity note: - Full-scope SARIF is the closest match for dashboard-style filtering. - Exact result counts can still differ from the dashboard due to backend/API consolidation differences and grouping semantics. -- See [`docs/troubleshooting.md#dashboard-vs-cli-result-counts`](docs/troubleshooting.md#dashboard-vs-cli-result-counts). +- See [`docs/troubleshooting.md#dashboard-vs-cli-result-counts`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#dashboard-vs-cli-result-counts). ## Config files (`--config`) @@ -137,23 +137,23 @@ socketcli --config .socketcli.toml --target-path . Reference sample configs: TOML: -- [`examples/config/sarif-dashboard-parity.toml`](examples/config/sarif-dashboard-parity.toml) -- [`examples/config/sarif-instance-detail.toml`](examples/config/sarif-instance-detail.toml) -- [`examples/config/sarif-diff-ci-cd.toml`](examples/config/sarif-diff-ci-cd.toml) +- [`examples/config/sarif-dashboard-parity.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-dashboard-parity.toml) +- [`examples/config/sarif-instance-detail.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-instance-detail.toml) +- [`examples/config/sarif-diff-ci-cd.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-diff-ci-cd.toml) JSON: -- [`examples/config/sarif-dashboard-parity.json`](examples/config/sarif-dashboard-parity.json) -- [`examples/config/sarif-instance-detail.json`](examples/config/sarif-instance-detail.json) -- [`examples/config/sarif-diff-ci-cd.json`](examples/config/sarif-diff-ci-cd.json) +- [`examples/config/sarif-dashboard-parity.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-dashboard-parity.json) +- [`examples/config/sarif-instance-detail.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-instance-detail.json) +- [`examples/config/sarif-diff-ci-cd.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-diff-ci-cd.json) ## CI/CD examples Prebuilt workflow examples: -- [GitHub Actions](workflows/github-actions.yml) -- [Buildkite](workflows/buildkite.yml) -- [GitLab CI](workflows/gitlab-ci.yml) -- [Bitbucket Pipelines](workflows/bitbucket-pipelines.yml) +- [GitHub Actions](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/github-actions.yml) +- [Buildkite](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/buildkite.yml) +- [GitLab CI](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/gitlab-ci.yml) +- [Bitbucket Pipelines](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/bitbucket-pipelines.yml) Minimal pattern: @@ -166,7 +166,7 @@ Minimal pattern: ## Common gotchas -See [`docs/troubleshooting.md`](docs/troubleshooting.md#common-gotchas). +See [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#common-gotchas). ## Quick verification checks @@ -187,7 +187,7 @@ jq '.runs[0].results | length' sarif-diff-reachable.sarif ## Documentation reference -- Full CLI reference: [`docs/cli-reference.md`](docs/cli-reference.md) -- CI/CD guide: [`docs/ci-cd.md`](docs/ci-cd.md) -- Troubleshooting guide: [`docs/troubleshooting.md`](docs/troubleshooting.md) -- Development guide: [`docs/development.md`](docs/development.md) +- Full CLI reference: [`docs/cli-reference.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/cli-reference.md) +- CI/CD guide: [`docs/ci-cd.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/ci-cd.md) +- Troubleshooting guide: [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md) +- Development guide: [`docs/development.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/development.md) diff --git a/pyproject.toml b/pyproject.toml index 7b7cd2a..6b37502 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "hatchling.build" [project] name = "socketsecurity" -version = "2.2.79" +version = "2.2.80" requires-python = ">= 3.11" license = {"file" = "LICENSE"} dependencies = [ diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index e56db94..92eb029 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,3 +1,3 @@ __author__ = 'socket.dev' -__version__ = '2.2.79' +__version__ = '2.2.80' USER_AGENT = f'SocketPythonCLI/{__version__}'