Security Guidelines¶

Security best practices for contributing to Monitoring Hub.

Code Security Principles¶

Input Validation¶

Always validate external input:

# Good: Strict schema validation
from core.engine.schema import ManifestSchema
schema = ManifestSchema()
validated_data = schema.load(user_input)

# Bad: Trusting user input
data = yaml.safe_load(untrusted_file)  # No validation

Manifest validation prevents: - Injection attacks through malformed YAML - Unexpected data types causing runtime errors - Missing required fields

Network Operations¶

Always use timeouts:

# Good: Timeout prevents hanging
response = requests.get(url, timeout=30)

# Bad: No timeout
response = requests.get(url)  # Can hang indefinitely

Implement retry logic with exponential backoff:

from tenacity import retry, stop_after_attempt, wait_exponential

@retry(
    stop=stop_after_attempt(3),
    wait=wait_exponential(multiplier=1, min=2, max=10)
)
def download_file(url):
    response = requests.get(url, timeout=30)
    response.raise_for_status()
    return response.content

Template Security¶

Enable Jinja2 autoescape:

# Good: Autoescape prevents XSS
from jinja2 import Environment, FileSystemLoader, select_autoescape

env = Environment(
    loader=FileSystemLoader(template_dir),
    autoescape=select_autoescape(['html', 'xml', 'j2'])
)

# Bad: No autoescape
env = Environment(loader=FileSystemLoader(template_dir))

Exception Handling¶

Always chain exceptions for better debugging:

# Good: Exception chaining preserves context
try:
    dangerous_operation()
except SpecificError as err:
    logger.error(f"Operation failed: {err}")
    raise click.Abort() from err

# Bad: Losing exception context
except:
    raise click.Abort()

Avoid bare except clauses:

# Good: Specific exception handling
try:
    risky_operation()
except (ValueError, KeyError) as err:
    handle_error(err)

# Bad: Catches everything including KeyboardInterrupt
try:
    risky_operation()
except:
    pass

Dependency Security¶

Managing Dependencies¶

• Pin versions: Use exact versions in requirements.txt
• Regular updates: Review Dependabot PRs weekly
• Vulnerability scanning: Check pip-audit reports
• Minimal dependencies: Only add necessary packages

Before Adding Dependencies¶

1. Check package reputation (GitHub stars, downloads, maintainers)
2. Review security advisories on PyPI Advisory Database
3. Verify package signatures when available
4. Check for known vulnerabilities with pip-audit

Container Security¶

Dockerfile Best Practices¶

# Use minimal base images
FROM registry.access.redhat.com/ubi9/ubi-minimal

# Run as non-root user
RUN useradd -r -u 1000 exporter
USER exporter

# Use read-only root filesystem
VOLUME ["/var/lib/exporter"]

Image Scanning¶

Before pushing images:

# Scan with Trivy
trivy image monitoring-hub/exporter:latest

# Check for high/critical vulnerabilities
trivy image --severity HIGH,CRITICAL monitoring-hub/exporter:latest

Secret Management¶

Never commit secrets:

• API tokens
• Private keys
• Passwords
• Connection strings

Use environment variables:

# Good: From environment
token = os.environ.get('GITHUB_TOKEN')

# Bad: Hardcoded
token = "ghp_xxxxxxxxxxxx"

Add sensitive files to .gitignore:

secrets/
.env
*.key
*.pem
credentials.json

Security Testing¶

Automated CI Security Scanning¶

The security.yml workflow runs on every pull request and push to main:

Bandit (Python Security Scanner) - Scans Python code for common security issues - Checks for SQL injection, hardcoded passwords, insecure functions - Reports findings as GitHub annotations

pip-audit (Dependency Vulnerability Scanner) - Scans Python dependencies for known CVEs - Checks against the OSV vulnerability database - Fails CI on high/critical vulnerabilities

Trivy (Container Security Scanner) - Scans container images for vulnerabilities - Uploads SARIF reports to GitHub Security tab - Requires security-events: write permission - Integrates with GitHub Advanced Security

View security findings: - Go to the Security tab in GitHub - Click Code scanning alerts - Review Trivy vulnerability reports

Pre-Commit Checks¶

Install pre-commit hooks:

make install

This runs: - bandit: Security vulnerability scanner - ruff: Linting with security rules - mypy: Type checking

Manual Security Checks¶

# Run security scanner
make security

# Check for vulnerable dependencies
pip-audit -r requirements/base.txt

# Scan code for secrets
gitleaks detect --no-git

# Scan container image with Trivy
trivy image --severity HIGH,CRITICAL monitoring-hub/exporter:latest

Reporting Security Issues¶

Do not open public issues for security vulnerabilities.

Follow our Security Policy for responsible disclosure.

Security Checklist for Contributors¶

Before submitting a PR:

• All network calls have timeouts
• Input validation on external data
• No hardcoded secrets or credentials
• Jinja2 templates use autoescape
• Exceptions are properly chained
• No bare except: clauses
• Dependencies are pinned and reviewed
• Security tests pass (make security)
• No new Bandit warnings introduced

Resources¶

• OWASP Top 10
• Python Security Best Practices
• Bandit Documentation
• pip-audit

Questions?¶

For security questions or concerns:

• Open a GitHub Discussion
• Contact maintainers privately for sensitive issues
• See SECURITY.md for vulnerability reporting