fix(security): resolve Snyk/bandit code analysis findings
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
- config.py: move REPORT_OUTPUT_DIR from /tmp (world-writable) to /app/reports to prevent CWE-377 symlink attack vector (B108, only real security issue) - main.py: log startup seed failures instead of silently swallowing them (B110) - Add # nosec annotations to intentional try/except patterns that are by design: Jira integration errors, email failures, DetachedInstanceError, storage errors, and Jira session timeout (all B110/B112 false positives) - Add # nosec B105 to false positives where bandit misidentifies config key names and masking strings as hardcoded passwords - Add .bandit config to skip B311 in seed_demo.py (random used for fake demo data generation, not cryptographic purposes)
This commit is contained in:
kitos
@@ -109,7 +109,7 @@ class Settings(BaseSettings):
|
||||
# ── Reporting ─────────────────────────────────────────────────────
|
||||
REPORT_TEMPLATES_DIR: str = "app/templates/reports"
|
||||
# Assign REPORT_OUTPUT_DIR = "/tmp/aegis_reports"
|
||||
REPORT_OUTPUT_DIR: str = "/tmp/aegis_reports"
|
||||
REPORT_OUTPUT_DIR: str = "/app/reports"
|
||||
# Assign COMPANY_NAME = "Organization"
|
||||
COMPANY_NAME: str = "Organization"
|
||||
# Assign COMPANY_LOGO_PATH = "app/templates/reports/assets/logo.png"
|
||||
|
||||
Reference in New Issue
Block a user