-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathmise.toml
More file actions
105 lines (84 loc) · 2.67 KB
/
mise.toml
File metadata and controls
105 lines (84 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
min_version = "2026.2.6"
[tools]
gitleaks = "latest"
python = "3.13"
semgrep = "latest"
uv = "latest"
"grype" = "0.109.0"
osv-scanner = "latest"
[env]
_.python.venv = { path = ".venv", create = true }
PROJECT_NAME = "{{ config_root | basename }}"
[tasks]
install = "uv sync --all-groups"
[tasks.info]
description = "Print project information"
run = '''
echo "Project: $PROJECT_NAME"
'''
# QUALITY
[tasks.lint]
description = "Lint with ruff"
run = "uvx ruff check"
[tasks."lint:fix"]
description = "Lint and auto-fix"
run = "uvx ruff check --fix"
[tasks.format]
description = "Format with ruff"
run = "uvx ruff format"
[tasks."format:check"]
description = "Check formatting"
run = "uvx ruff format --check"
[tasks.typecheck]
description = "Type check with ty"
run = "uvx ty check"
[tasks.test]
description = "Run tests with pytest"
run = "uv run pytest"
# SECURITY
[tasks."security:secrets"]
description = "Scan for secrets with gitleaks"
run = "gitleaks detect --source . --no-banner"
[tasks."security:sast"]
description = "SAST scan with semgrep (auto + OWASP top 10)"
run = "semgrep scan --config auto --config p/owasp-top-ten --error --quiet ."
[tasks."security:deps"]
description = "Audit dependencies for known vulnerabilities (osv-scanner)"
run = "osv-scanner scan --lockfile uv.lock"
[tasks."security:bandit"]
description = "Run Bandit"
run = "uvx bandit[toml] -c pyproject.toml -r . --severity-level=high"
[tasks."security:grype"]
description = "Run Grype"
run = [
"grype ."
]
[tasks."security:image"]
description = "Scan container image with trivy"
run = '''
#!/usr/bin/env bash
set -euo pipefail
TRIVY_VERSION=v0.69.2
export PATH="$HOME/.local/bin:$PATH"
command -v trivy >/dev/null 2>&1 || (mkdir -p "$HOME/.local/bin" && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "$HOME/.local/bin" "$TRIVY_VERSION")
docker image inspect bgagent-local:latest >/dev/null 2>&1 || (ARCH="$(uname -m)"; PLATFORM="linux/arm64"; if [ "$ARCH" = "x86_64" ]; then PLATFORM="linux/amd64"; fi; docker build --build-arg TARGETPLATFORM="$PLATFORM" --build-arg CACHE_BUST="$(date +%s)" -t bgagent-local:latest .)
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --severity HIGH,CRITICAL --exit-code 1 bgagent-local:latest
'''
[tasks.quality]
description = "Run quality checks"
run = [
{ task = "lint:fix" },
{ task = "format" },
{ task = "typecheck" },
{ task = "test" },
]
[tasks.security]
description = "Run security scans"
run = [
{ task = "security:secrets" },
{ task = "security:bandit" },
{ task = "security:sast" },
{ task = "security:grype" },
{ task = "security:deps" },
{ task = "security:image" },
]