sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: add .dockerignore and env_file to docker-compose
Some checks failed
CI / ruff (push) Successful in 9s
Details
CI / architecture (push) Has been cancelled
Details
CI / dependency-scanning (push) Has been cancelled
Details
CI / audit (push) Has been cancelled
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details

Browse Source 
Prevents .env from being baked into Docker image (was overriding
config defaults). Adds env_file directive so containers load host
.env properly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-14 20:01:21 +01:00
parent cf08e1a6c8
commit 688896d856
25 changed files with 274 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
scripts/validate/validate_security.py
View File

@@ -192,6 +192,8 @@ class SecurityValidator(BaseValidator):
# Check for eval usage
for i, line in enumerate(lines, 1):
if re.search(r"\beval\s*\(", line) and "//" not in line.split("eval")[0]:
if self._is_noqa_suppressed(line, "SEC-013"):
continue
self._add_violation(
rule_id="SEC-013",
rule_name="No code execution",
@@ -206,6 +208,8 @@ class SecurityValidator(BaseValidator):
# Check for innerHTML with user input
for i, line in enumerate(lines, 1):
if re.search(r"\.innerHTML\s*=", line) and "//" not in line.split("innerHTML")[0]:
if self._is_noqa_suppressed(line, "SEC-015"):
continue
self._add_violation(
rule_id="SEC-015",
rule_name="XSS prevention",
@@ -222,6 +226,8 @@ class SecurityValidator(BaseValidator):
# SEC-015: XSS via |safe filter
for i, line in enumerate(lines, 1):
if re.search(r"\|\s*safe", line) and "sanitized" not in line.lower():
if self._is_noqa_suppressed(line, "SEC-015"):
continue
self._add_violation(
rule_id="SEC-015",
rule_name="XSS prevention in templates",
@@ -236,6 +242,8 @@ class SecurityValidator(BaseValidator):
# Check for x-html with dynamic content
for i, line in enumerate(lines, 1):
if re.search(r'x-html="[^"]*\w', line) and "sanitized" not in line.lower():
if self._is_noqa_suppressed(line, "SEC-015"):
continue
self._add_violation(
rule_id="SEC-015",
rule_name="XSS prevention in templates",
@@ -268,6 +276,8 @@ class SecurityValidator(BaseValidator):
# Check for environment variable references
if "${" in line or "os.getenv" in line or "environ" in line:
continue
if self._is_noqa_suppressed(line, "SEC-001"):
continue
self._add_violation(
rule_id="SEC-001",
rule_name="No hardcoded credentials",
@@ -296,7 +306,7 @@ class SecurityValidator(BaseValidator):
exclude_patterns = [
"os.getenv", "os.environ", "settings.", '""', "''",
"# noqa", "# test", "password_hash", "example"
"# test", "password_hash", "example"
]
for i, line in enumerate(lines, 1):
@@ -305,6 +315,8 @@ class SecurityValidator(BaseValidator):
# Check exclusions
if any(exc in line for exc in exclude_patterns):
continue
if self._is_noqa_suppressed(line, "SEC-001"):
continue
self._add_violation(
rule_id="SEC-001",
rule_name="No hardcoded credentials",
@@ -329,7 +341,7 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern in patterns:
if re.search(pattern, line):
if "# noqa" in line or "# safe" in line:
if self._is_noqa_suppressed(line, "SEC-011") or "# safe" in line:
continue
self._add_violation(
rule_id="SEC-011",
@@ -345,15 +357,15 @@ class SecurityValidator(BaseValidator):
def _check_command_injection(self, file_path: Path, content: str, lines: list[str]):
"""SEC-012: Check for command injection vulnerabilities"""
patterns = [
(r"subprocess.*shell\s*=\s*True", "shell=True in subprocess"),
(r"os\.system\s*\(", "os.system()"),
(r"os\.popen\s*\(", "os.popen()"),
(r"subprocess.*shell\s*=\s*True", "shell=True in subprocess"), # noqa: SEC-012
(r"os\.system\s*\(", "os.system()"), # noqa: SEC-012
(r"os\.popen\s*\(", "os.popen()"), # noqa: SEC-012
]
for i, line in enumerate(lines, 1):
for pattern, issue in patterns:
if re.search(pattern, line):
if "# noqa" in line or "# safe" in line:
if self._is_noqa_suppressed(line, "SEC-012") or "# safe" in line:
continue
self._add_violation(
rule_id="SEC-012",
@@ -378,6 +390,8 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern, issue in patterns:
if re.search(pattern, line, re.IGNORECASE):
if self._is_noqa_suppressed(line, "SEC-013"):
continue
self._add_violation(
rule_id="SEC-013",
rule_name="No code execution",
@@ -405,6 +419,8 @@ class SecurityValidator(BaseValidator):
if re.search(pattern, line, re.IGNORECASE):
if has_secure_filename:
continue
if self._is_noqa_suppressed(line, "SEC-014"):
continue
self._add_violation(
rule_id="SEC-014",
rule_name="Path traversal prevention",
@@ -427,7 +443,7 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern, issue in patterns:
if re.search(pattern, line):
if "# noqa" in line:
if self._is_noqa_suppressed(line, "SEC-020"):
continue
self._add_violation(
rule_id="SEC-020",
@@ -449,13 +465,15 @@ class SecurityValidator(BaseValidator):
(r"print\s*\([^)]*password", "password in print"),
]
exclude = ["password_hash", "password_reset", "password_changed", "# noqa"]
exclude = ["password_hash", "password_reset", "password_changed"]
for i, line in enumerate(lines, 1):
for pattern, issue in patterns:
if re.search(pattern, line, re.IGNORECASE):
if any(exc in line for exc in exclude):
continue
if self._is_noqa_suppressed(line, "SEC-021"):
continue
self._add_violation(
rule_id="SEC-021",
rule_name="PII logging prevention",
@@ -478,7 +496,9 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern in patterns:
if re.search(pattern, line):
if "logger" in line or "# noqa" in line:
if "logger" in line:
continue
if self._is_noqa_suppressed(line, "SEC-024"):
continue
self._add_violation(
rule_id="SEC-024",
@@ -495,7 +515,7 @@ class SecurityValidator(BaseValidator):
"""SEC-034: Check for HTTP instead of HTTPS"""
for i, line in enumerate(lines, 1):
if re.search(r"http://(?!localhost|127\.0\.0\.1|0\.0\.0\.0|\$)", line):
if "# noqa" in line or "example.com" in line or "schemas" in line:
if self._is_noqa_suppressed(line, "SEC-034") or "example.com" in line or "schemas" in line:
continue
if "http://www.w3.org" in line:
continue
@@ -524,6 +544,8 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern in patterns:
if re.search(pattern, line) and "timeout" not in line:
if self._is_noqa_suppressed(line, "SEC-040"):
continue
self._add_violation(
rule_id="SEC-040",
rule_name="Timeout configuration",
@@ -547,7 +569,7 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern, algo in patterns:
if re.search(pattern, line):
if "# noqa" in line or "# checksum" in line or "# file hash" in line:
if self._is_noqa_suppressed(line, "SEC-041") or "# checksum" in line or "# file hash" in line:
continue
self._add_violation(
rule_id="SEC-041",
@@ -580,7 +602,7 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern in patterns:
if re.search(pattern, line):
if "# noqa" in line or "# not security" in line:
if self._is_noqa_suppressed(line, "SEC-042") or "# not security" in line:
continue
self._add_violation(
rule_id="SEC-042",
@@ -609,6 +631,8 @@ class SecurityValidator(BaseValidator):
if re.search(pattern, line):
if any(exc in line for exc in exclude):
continue
if self._is_noqa_suppressed(line, "SEC-043"):
continue
self._add_violation(
rule_id="SEC-043",
rule_name="No hardcoded encryption keys",
@@ -631,7 +655,7 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern, issue in patterns:
if re.search(pattern, line):
if "# noqa" in line or "# test" in line or "DEBUG" in line:
if self._is_noqa_suppressed(line, "SEC-047") or "# test" in line or "DEBUG" in line:
continue
self._add_violation(
rule_id="SEC-047",
@@ -650,6 +674,8 @@ class SecurityValidator(BaseValidator):
# Find the jwt.encode line
for i, line in enumerate(lines, 1):
if "jwt.encode" in line:
if self._is_noqa_suppressed(line, "SEC-002"):
continue
self._add_violation(
rule_id="SEC-002",
rule_name="JWT expiry enforcement",
@@ -676,6 +702,8 @@ class SecurityValidator(BaseValidator):
for i, line in enumerate(lines, 1):
for pattern in patterns:
if re.search(pattern, line):
if self._is_noqa_suppressed(line, "SEC-022"):
continue
self._add_violation(
rule_id="SEC-022",
rule_name="Sensitive data in URLs",