Spaces:

S-Dreamer
/

PassiveOSINTControlPanel

Running

App Files Files Community

S-Dreamer commited on 12 days ago

Commit

4f25455

verified ·

1 Parent(s): c36870d

Upload 3 files

Browse files

Files changed (3) hide show

.github/workflows/bandit.yml +42 -0
.github/workflows/sync-huggingface.yml +32 -3
.github/workflows/test-sec.yml +110 -0

.github/workflows/bandit.yml ADDED Viewed

	@@ -0,0 +1,42 @@

+name: Bandit
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "40 13 * * 4"
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+jobs:
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - name: Install Bandit
+        run: python -m pip install --upgrade bandit[toml]
+      - name: Run Bandit
+        run: |
+          bandit -r . \
+            -f sarif \
+            -o bandit.sarif \
+            --exclude .git,__pycache__,.tox,.eggs,*.egg
+      - name: Upload SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: bandit.sarif

.github/workflows/sync-huggingface.yml CHANGED Viewed

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
   workflow_dispatch:
     inputs:
       sync_direction:
@@ -19,7 +20,7 @@ permissions:
   contents: write
 concurrency:
-  group: repo-sync-${{ github.ref }}
   cancel-in-progress: false
 jobs:
@@ -34,6 +35,14 @@ jobs:
         with:
           fetch-depth: 0
       - name: Configure Git identity
         run: |
           git config --global user.name "github-actions[bot]"
@@ -45,10 +54,19 @@ jobs:
           HF_USERNAME: ${{ secrets.HF_USERNAME }}
         run: |
           REPO_NAME="${GITHUB_REPOSITORY#*/}"
           git remote remove huggingface 2>/dev/null || true
           git remote add huggingface "https://${HF_USERNAME}:${HF_TOKEN}@huggingface.co/spaces/${HF_USERNAME}/${REPO_NAME}"
-      - name: Push to Hugging Face Hub
         run: |
           git push huggingface main:main --force-with-lease
@@ -58,6 +76,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout GitHub repository
         uses: actions/checkout@v4
         with:
@@ -75,6 +103,7 @@ jobs:
           HF_USERNAME: ${{ secrets.HF_USERNAME }}
         run: |
           REPO_NAME="${GITHUB_REPOSITORY#*/}"
           git remote remove huggingface 2>/dev/null || true
           git remote add huggingface "https://${HF_USERNAME}:${HF_TOKEN}@huggingface.co/spaces/${HF_USERNAME}/${REPO_NAME}"
@@ -89,4 +118,4 @@ jobs:
       - name: Push merged state to GitHub
         run: |
-          git push origin main

   push:
     branches:
       - main
   workflow_dispatch:
     inputs:
       sync_direction:
   contents: write
 concurrency:
+  group: repo-sync-main
   cancel-in-progress: false
 jobs:
         with:
           fetch-depth: 0
+      - name: Validate required secrets
+        env:
+          HF_TOKEN: ${{ secrets.HF_TOKEN }}
+          HF_USERNAME: ${{ secrets.HF_USERNAME }}
+        run: |
+          test -n "$HF_TOKEN" || (echo "HF_TOKEN is missing" && exit 1)
+          test -n "$HF_USERNAME" || (echo "HF_USERNAME is missing" && exit 1)
       - name: Configure Git identity
         run: |
           git config --global user.name "github-actions[bot]"
           HF_USERNAME: ${{ secrets.HF_USERNAME }}
         run: |
           REPO_NAME="${GITHUB_REPOSITORY#*/}"
           git remote remove huggingface 2>/dev/null || true
           git remote add huggingface "https://${HF_USERNAME}:${HF_TOKEN}@huggingface.co/spaces/${HF_USERNAME}/${REPO_NAME}"
+      - name: Verify remotes
+        run: |
+          git remote -v | sed 's#https://.*@huggingface.co#https://***@huggingface.co#g'
+      - name: Fetch Hugging Face state
+        run: |
+          git fetch huggingface main || true
+      - name: Push GitHub main to Hugging Face
         run: |
           git push huggingface main:main --force-with-lease
     runs-on: ubuntu-latest
     steps:
+      - name: Validate required secrets
+        env:
+          HF_TOKEN: ${{ secrets.HF_TOKEN }}
+          HF_USERNAME: ${{ secrets.HF_USERNAME }}
+          GH_PAT: ${{ secrets.GH_PAT }}
+        run: |
+          test -n "$HF_TOKEN" || (echo "HF_TOKEN is missing" && exit 1)
+          test -n "$HF_USERNAME" || (echo "HF_USERNAME is missing" && exit 1)
+          test -n "$GH_PAT" || (echo "GH_PAT is missing" && exit 1)
       - name: Checkout GitHub repository
         uses: actions/checkout@v4
         with:
           HF_USERNAME: ${{ secrets.HF_USERNAME }}
         run: |
           REPO_NAME="${GITHUB_REPOSITORY#*/}"
           git remote remove huggingface 2>/dev/null || true
           git remote add huggingface "https://${HF_USERNAME}:${HF_TOKEN}@huggingface.co/spaces/${HF_USERNAME}/${REPO_NAME}"
       - name: Push merged state to GitHub
         run: |
+          git push origin main

.github/workflows/test-sec.yml ADDED Viewed

	@@ -0,0 +1,110 @@

+name: CI
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+permissions:
+  contents: read
+jobs:
+  test-and-secure:
+    runs-on: ubuntu-latest
+    env:
+      ALLOW_DEV_SALT: "true"
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Cache pip dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install -r requirements.txt
+          python -m pip install pytest ruff bandit pip-audit
+      - name: Lint with Ruff
+        run: ruff check .
+      - name: Check formatting with Ruff
+        run: ruff format --check .
+      - name: Security scan with Bandit
+        run: |
+          bandit -r osint_core/ -ll
+      - name: Audit Python dependencies
+        run: |
+          pip-audit -r requirements.txt
+      - name: Run tests
+        run: |
+          pytest -v --tb=short
+  drift-guard:
+    runs-on: ubuntu-latest
+    needs: test-and-secure
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Install YAML parser
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install PyYAML
+      - name: Verify critical files exist
+        run: |
+          test -f osint_core/intent.py
+          test -f osint_core/policy.py
+          test -f osint_core/validators.py
+      - name: Prevent forbidden tools from entering repo
+        run: |
+          if git grep -n -I -E "nmap|masscan|sqlmap|metasploit" -- . \
+            ':(exclude).github/workflows/*' \
+            ':(exclude)README.md' \
+            ':(exclude)docs/*'; then
+            echo "Forbidden tooling detected"
+            exit 1
+          fi
+      - name: Enforce passive-first invariant
+        run: |
+          if git grep -n -I "requests.get(" -- osint_core/ | grep -v "authorized"; then
+            echo "Potential unauthorized outbound request"
+            exit 1
+          fi
+      - name: Validate YAML integrity
+        run: |
+          python -c "import yaml; yaml.safe_load(open('data/sources.yaml', encoding='utf-8'))"
+      - name: Check for raw indicator leakage
+        run: |
+          if git grep -n -I -E "example\.com|@gmail\.com|192\.168\." -- osint_core/; then
+            echo "Possible raw indicator leakage"
+            exit 1
+          fi