OpenML icon indicating copy to clipboard operation
OpenML copied to clipboard
verified publisher icon openml

Added Security Workflow

Open naman9271 opened this issue 1 month ago • 1 comments

Fixes: #1249

This pull request introduces a comprehensive security scanning setup for the repository, including configuration files and workflows for automated detection of vulnerabilities and secrets. It adds CodeQL analysis, dependency and secret scanning, and security audits for both PHP (Composer) and JavaScript (NPM) projects. Additionally, it provides custom configurations for both CodeQL and Gitleaks to tailor scanning to the project's needs.

Security scanning workflow integration:

  • Added .github/workflows/security.yml to automate CodeQL analysis (for JavaScript and Python), dependency vulnerability scanning (Trivy, OSV), secret scanning (Gitleaks), Composer and NPM audits, and a summary step to report results and fail on critical issues.

Configuration for scanning tools:

  • Added .github/codeql/codeql-config.yml to customize CodeQL queries, specify include/exclude paths, and configure language-specific options for Python and JavaScript analysis.
  • Added .gitleaks.toml to configure Gitleaks secret scanning with custom rules for OpenML-specific secrets, allowlists for common false positives, and exclusion of non-sensitive files and patterns.

naman9271 avatar Nov 15 '25 20:11 naman9271

Hi @joaquinvanschoren , @janvanrijn please review when you get a chance - thanks

naman9271 avatar Nov 15 '25 20:11 naman9271