feat: Add comprehensive security vulnerability scanning system

.bandit

@@ -0,0 +1,102 @@
+# Bandit configuration for tf-shell
+# This file configures Bandit security scanner for Python code
+
+[bandit]
+# Directories to exclude from scanning
+exclude_dirs = [
+    "*/test/*",
+    "*/tests/*", 
+    "bazel-*",
+    ".git",
+    "__pycache__",
+    "*.venv",
+    "venv",
+    "env"
+]
+
+# Files to skip
+skips = [
+    # Skip test files that may contain intentionally insecure code for testing
+    "*/test_*.py",
+    "*/*_test.py"
+]
+
+# Security tests to run (all by default, but can be customized)
+tests = [
+    "B101",  # assert_used
+    "B102",  # exec_used
+    "B103",  # set_bad_file_permissions
+    "B104",  # hardcoded_bind_all_interfaces
+    "B105",  # hardcoded_password_string
+    "B106",  # hardcoded_password_funcarg
+    "B107",  # hardcoded_password_default
+    "B108",  # hardcoded_tmp_directory
+    "B110",  # try_except_pass
+    "B112",  # try_except_continue
+    "B201",  # flask_debug_true
+    "B301",  # pickle
+    "B302",  # marshal
+    "B303",  # md5
+    "B304",  # des
+    "B305",  # cipher
+    "B306",  # mktemp_q
+    "B307",  # eval
+    "B308",  # mark_safe
+    "B309",  # httpsconnection
+    "B310",  # urllib_urlopen
+    "B311",  # random
+    "B312",  # telnetlib
+    "B313",  # xml_bad_cElementTree
+    "B314",  # xml_bad_ElementTree
+    "B315",  # xml_bad_expatreader
+    "B316",  # xml_bad_expatbuilder
+    "B317",  # xml_bad_sax
+    "B318",  # xml_bad_minidom
+    "B319",  # xml_bad_pulldom
+    "B320",  # xml_bad_etree
+    "B321",  # ftplib
+    "B322",  # input
+    "B323",  # unverified_context
+    "B324",  # hashlib_new_insecure_functions
+    "B325",  # tempnam
+    "B401",  # import_telnetlib
+    "B402",  # import_ftplib
+    "B403",  # import_pickle
+    "B404",  # import_subprocess
+    "B405",  # import_xml_etree
+    "B406",  # import_xml_sax
+    "B407",  # import_xml_expat
+    "B408",  # import_xml_minidom
+    "B409",  # import_xml_pulldom
+    "B410",  # import_lxml
+    "B411",  # import_xmlrpclib
+    "B412",  # import_httpoxy
+    "B413",  # import_pycrypto
+    "B501",  # request_with_no_cert_validation
+    "B502",  # ssl_with_bad_version
+    "B503",  # ssl_with_bad_defaults
+    "B504",  # ssl_with_no_version
+    "B505",  # weak_cryptographic_key
+    "B506",  # yaml_load
+    "B507",  # ssh_no_host_key_verification
+    "B601",  # paramiko_calls
+    "B602",  # subprocess_popen_with_shell_equals_true
+    "B603",  # subprocess_without_shell_equals_false
+    "B604",  # any_other_function_with_shell_equals_true
+    "B605",  # start_process_with_a_shell
+    "B606",  # start_process_with_no_shell
+    "B607",  # start_process_with_partial_path
+    "B608",  # hardcoded_sql_expressions
+    "B609",  # linux_commands_wildcard_injection
+    "B610",  # django_extra_used
+    "B611",  # django_rawsql_used
+    "B701",  # jinja2_autoescape_false
+    "B702",  # use_of_mako_templates
+    "B703"   # django_mark_safe
+]
+
+# Confidence levels to report (LOW, MEDIUM, HIGH)
+confidence = ["HIGH", "MEDIUM"]
+
+# Severity levels to report (LOW, MEDIUM, HIGH)  
+severity = ["MEDIUM", "HIGH"]

.github/dependabot.yml

@@ -0,0 +1,71 @@
+# Dependabot configuration for tf-shell
+# This file configures Dependabot to automatically create pull requests
+# for dependency updates, including security patches.
+
+version: 2
+updates:
+  # Monitor Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    # Allow both direct and indirect dependency updates
+    allow:
+      - dependency-type: "direct"
+      - dependency-type: "indirect"
+    # Automatically merge security updates
+    open-pull-requests-limit: 10
+    # Group related updates together
+    groups:
+      tensorflow:
+        patterns:
+          - "tensorflow*"
+      security-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "security"
+    # Custom commit message
+    commit-message:
+      prefix: "deps"
+      prefix-development: "deps-dev"
+      include: "scope"
+    # Reviewers for dependency updates
+    reviewers:
+      - "google/tf-shell-maintainers"
+    # Labels to apply to PRs
+    labels:
+      - "dependencies"
+      - "security"
+
+  # Monitor GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/.github/workflows"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "github-actions"
+      - "ci"
+
+  # Monitor Bazel dependencies (if applicable)
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "docker"
+      include: "scope"
+    labels:
+      - "docker"
+      - "devcontainer"

.github/workflows/security.yml

@@ -0,0 +1,201 @@
+name: Security Vulnerability Scanning
+
+on:
+  # Run on every push to main and pull requests
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  # Run weekly security scans
+  schedule:
+    - cron: '0 6 * * 1'  # Every Monday at 6 AM UTC
+  # Allow manual trigger
+  workflow_dispatch:
+
+permissions:
+  # Required for security scanning
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  # Python dependency vulnerability scanning
+  python-security-scan:
+    name: Python Security Scan
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - name: Install security scanning tools
+        run: |
+          python -m pip install --upgrade pip
+          pip install safety bandit semgrep
+
+      - name: Run Safety (Python dependency vulnerability scanner)
+        run: |
+          # Scan requirements files for known vulnerabilities
+          for req_file in requirements*.txt; do
+            if [ -f "$req_file" ]; then
+              echo "Scanning $req_file..."
+              safety check -r "$req_file" --json --output safety-report-$(basename $req_file .txt).json || true
+            fi
+          done
+        continue-on-error: true
+
+      - name: Run Bandit (Python code security scanner)
+        run: |
+          # Scan Python code for security issues
+          bandit -r tf_shell/ tf_shell_ml/ -f json -o bandit-report.json || true
+          bandit -r tf_shell/ tf_shell_ml/ -f txt -o bandit-report.txt || true
+        continue-on-error: true
+
+      - name: Run Semgrep (Static analysis security scanner)
+        run: |
+          # Run Semgrep with security rules
+          semgrep --config=auto --json --output=semgrep-report.json tf_shell/ tf_shell_ml/ || true
+        continue-on-error: true
+
+      - name: Upload security scan results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: python-security-reports
+          path: |
+            *-report.json
+            *-report.txt
+          retention-days: 30
+
+  # CodeQL analysis for comprehensive code scanning
+  codeql-analysis:
+    name: CodeQL Analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python', 'cpp' ]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Use default queries plus security-extended for more comprehensive scanning
+          queries: security-extended,security-and-quality
+
+      - name: Setup Bazel for C++ analysis
+        if: matrix.language == 'cpp'
+        run: |
+          # Install bazelisk for building C++ components
+          curl -LO "https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64"
+          chmod +x bazelisk-linux-amd64
+          sudo mv bazelisk-linux-amd64 /usr/local/bin/bazelisk
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
+  # Dependency review for pull requests
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-22.04
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          # Fail the build if high or critical vulnerabilities are found
+          fail-on-severity: high
+          # Allow licenses commonly used in ML/crypto projects
+          allow-licenses: Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause
+
+  # Secret scanning (for any accidentally committed secrets)
+  secret-scan:
+    name: Secret Scanning
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          # Fetch full history for secret scanning
+          fetch-depth: 0
+
+      - name: Run TruffleHog (Secret scanner)
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: main
+          head: HEAD
+          extra_args: --debug --only-verified
+
+  # Security summary and reporting
+  security-summary:
+    name: Security Summary
+    runs-on: ubuntu-22.04
+    needs: [python-security-scan, codeql-analysis, secret-scan]
+    if: always()
+    steps:
+      - name: Download security reports
+        uses: actions/download-artifact@v4
+        with:
+          name: python-security-reports
+          path: ./security-reports/
+        continue-on-error: true
+
+      - name: Generate Security Summary
+        run: |
+          echo "# Security Scan Summary" > security-summary.md
+          echo "" >> security-summary.md
+          echo "## Scan Results" >> security-summary.md
+          echo "" >> security-summary.md
+
+          # Check if reports exist and summarize
+          if [ -f "./security-reports/bandit-report.json" ]; then
+            echo "### Bandit (Python Code Security)" >> security-summary.md
+            echo "- Report generated successfully" >> security-summary.md
+          fi
+
+          if [ -f "./security-reports/safety-report-requirements_3_10.json" ]; then
+            echo "### Safety (Dependency Vulnerabilities)" >> security-summary.md
+            echo "- Dependency scan completed" >> security-summary.md
+          fi
+
+          echo "" >> security-summary.md
+          echo "## Recommendations" >> security-summary.md
+          echo "- Review all security findings before merging" >> security-summary.md
+          echo "- Update dependencies with known vulnerabilities" >> security-summary.md
+          echo "- Follow security best practices outlined in SECURITY.md" >> security-summary.md
+
+      - name: Comment PR with security summary
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            if (fs.existsSync('security-summary.md')) {
+              const summary = fs.readFileSync('security-summary.md', 'utf8');
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: summary
+              });
+            }

.gitignore

@@ -5,4 +5,12 @@ bazel-testlogs
 __pycache__
 **.venv
 *.whl
-MODULE.bazel.lock
+MODULE.bazel.lock
+
+# Security scan reports (contain sensitive information)
+security-reports/
+*.security-report.*
+bandit-report.*
+safety-report.*
+semgrep-report.*
+pip-audit-report.*