mirror of
https://github.com/FuzzingLabs/fuzzforge_ai.git
synced 2026-02-12 23:52:47 +00:00
deb114726d
- Fix live monitoring style error by calling _live_monitor() helper directly - Remove default_parameters duplication from 10 workflow metadata files - Remove deprecated volume_mode parameter from 26 files across CLI, SDK, backend, and docs - Configure Python worker to start automatically with docker compose up - Clean up constants, validation, completion, and example files Fixes # - Live monitoring now works correctly with --live flag - Workflow metadata follows JSON Schema standard - Cleaner codebase without deprecated volume_mode - Python worker (most commonly used) starts by default
111 lines
3.1 KiB
YAML
111 lines
3.1 KiB
YAML
name: python_sast
|
|
version: "1.0.0"
|
|
vertical: python
|
|
description: "Python Static Application Security Testing (SAST) workflow combining dependency scanning (pip-audit), security linting (Bandit), and type checking (Mypy)"
|
|
author: "FuzzForge Team"
|
|
tags:
|
|
- "python"
|
|
- "sast"
|
|
- "security"
|
|
- "type-checking"
|
|
- "dependencies"
|
|
- "bandit"
|
|
- "mypy"
|
|
- "pip-audit"
|
|
- "sarif"
|
|
|
|
# Workspace isolation mode (system-level configuration)
|
|
# Using "shared" mode for read-only SAST analysis (no file modifications)
|
|
workspace_isolation: "shared"
|
|
|
|
parameters:
|
|
type: object
|
|
properties:
|
|
dependency_config:
|
|
type: object
|
|
description: "Dependency scanner (pip-audit) configuration"
|
|
properties:
|
|
dependency_files:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: "List of dependency files to scan (auto-discovered if empty)"
|
|
default: []
|
|
ignore_vulns:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: "List of vulnerability IDs to ignore"
|
|
default: []
|
|
bandit_config:
|
|
type: object
|
|
description: "Bandit security analyzer configuration"
|
|
properties:
|
|
severity_level:
|
|
type: string
|
|
enum: ["low", "medium", "high"]
|
|
description: "Minimum severity level to report"
|
|
default: "low"
|
|
confidence_level:
|
|
type: string
|
|
enum: ["low", "medium", "high"]
|
|
description: "Minimum confidence level to report"
|
|
default: "medium"
|
|
exclude_tests:
|
|
type: boolean
|
|
description: "Exclude test files from analysis"
|
|
default: true
|
|
skip_ids:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: "List of Bandit test IDs to skip"
|
|
default: []
|
|
mypy_config:
|
|
type: object
|
|
description: "Mypy type checker configuration"
|
|
properties:
|
|
strict_mode:
|
|
type: boolean
|
|
description: "Enable strict type checking"
|
|
default: false
|
|
ignore_missing_imports:
|
|
type: boolean
|
|
description: "Ignore errors about missing imports"
|
|
default: true
|
|
follow_imports:
|
|
type: string
|
|
enum: ["normal", "silent", "skip", "error"]
|
|
description: "How to handle imports"
|
|
default: "silent"
|
|
reporter_config:
|
|
type: object
|
|
description: "SARIF reporter configuration"
|
|
properties:
|
|
include_code_flows:
|
|
type: boolean
|
|
description: "Include code flow information"
|
|
default: false
|
|
|
|
output_schema:
|
|
type: object
|
|
properties:
|
|
sarif:
|
|
type: object
|
|
description: "SARIF-formatted SAST findings from all tools"
|
|
summary:
|
|
type: object
|
|
description: "SAST execution summary"
|
|
properties:
|
|
total_findings:
|
|
type: integer
|
|
vulnerabilities:
|
|
type: integer
|
|
description: "CVEs found in dependencies"
|
|
security_issues:
|
|
type: integer
|
|
description: "Security issues found by Bandit"
|
|
type_errors:
|
|
type: integer
|
|
description: "Type errors found by Mypy"
|