databricks-industry-solutions
diff --git a/‎.github/workflows/security-scan.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/security-scan.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 62 additions & 13 deletions b/‎.gitignore‎
Lines changed: 62 additions & 13 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 210 additions & 1 deletion b/‎CONTRIBUTING.md‎
Lines changed: 210 additions & 1 deletion
@@ -0,0 +1,36 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+  pull_request:
+    branches:
+      - main
+      - 'release/**'
+
+jobs:
+  bandit-scan:
+    name: Bandit Security Scan
+    runs-on: linux-ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      
+      - name: Install Bandit
+        run: pip install bandit[toml]
+      
+      - name: Run Bandit security scan
+        run: |
+          bandit -r . \
+            --exclude ./tests,./venv,./node_modules,./.venv,./docs/sat/node_modules \
+            -lll \
+            -f screen
+
@@ -11,17 +11,17 @@
 /configs/security_best_practices_user.csv
 .databricks/
 .vscode/settings.json
+CLAUDE.md
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
-.DS_Store
-.pytest_cache/
+*.py[cod]
+*$py.class
 
 # C extensions
 *.so
 
 # Distribution / packaging
-.idea
 .Python
 build/
 develop-eggs/
@@ -35,16 +35,13 @@ parts/
 sdist/
 var/
 wheels/
-pip-wheel-metadata/
 share/python-wheels/
 *.egg-info/
 .installed.cfg
 *.egg
 MANIFEST
 
 # PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
 *.manifest
 *.spec
 
@@ -65,6 +62,7 @@ coverage.xml
 *.py,cover
 .hypothesis/
 .pytest_cache/
+cover/
 
 # Translations
 *.mo
@@ -87,6 +85,7 @@ instance/
 docs/_build/
 
 # PyBuilder
+.pybuilder/
 target/
 
 # Jupyter Notebook
@@ -100,13 +99,15 @@ ipython_config.py
 .python-version
 
 # pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
+Pipfile.lock
+
+# poetry
+poetry.lock
 
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+# pdm
+.pdm.toml
+
+# PEP 582
 __pypackages__/
 
 # Celery stuff
@@ -134,6 +135,7 @@ venv.bak/
 
 # mkdocs documentation
 /site
+docs/sat/site/
 
 # mypy
 .mypy_cache/
@@ -143,7 +145,54 @@ dmypy.json
 # Pyre type checker
 .pyre/
 
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+desktop.ini
+
+# Temporary files
+temp/
+tmp/
+*.tmp
+*.temp
+*.bak
+*.backup
+
+# Terraform
+*.tfstate
+*.tfstate.*
+.terraform/
+.terraform.lock.hcl
+terraform/aws/models
+
+# Project-specific
+claude_js/
+notebooks/.ipynb_checkpoints/
+
+# Build artifacts
+*.whl
+*.tar.gz
+
+# Logs
+*.log
 
 **/.terraform*
 **/terraform.tfvars
-**/terraform.tfstate*
+**/terraform.tfstate*
+
+# Project documentation and planning files
+CLAUDE.md
+docs/*Implementation_Plan.html
@@ -1 +1,210 @@
-We happily welcome contributions. We accept PRs pursuant to a CLA.
+# Contributing to Security Analysis Tool (SAT)
+
+Thank you for your interest in contributing to the Databricks Security Analysis Tool! We welcome contributions from the community, and we accept PRs pursuant to a CLA.
+
+## Getting Started
+
+Before you begin:
+
+1. **Check existing issues**: Look through [GitHub Issues](https://github.com/databricks-industry-solutions/security-analysis-tool/issues) to see if your bug report or feature request already exists
+2. **Read the documentation**: Familiarize yourself with [SAT Documentation](https://databricks-industry-solutions.github.io/security-analysis-tool/)
+3. **Understand the project structure**: Review the codebase organization
+
+### Project Structure
+
+```
+security-analysis-tool/
+├── src/                           # Python SDK source code
+│   ├── securityanalysistoolproject/  # Main SAT SDK
+│   └── brickhound/                # Permissions & Resources Analysis
+├── notebooks/                     # Databricks notebooks
+│   ├── Setup/                     # Installation and configuration
+│   ├── Includes/                  # Helper modules
+│   └── brickhound/               # Permissions & Resources Analysis notebooks
+├── app/brickhound/               # Permissions & Resources Analysis web UI
+├── terraform/                    # Infrastructure as Code SAT Installation
+├── dabs/                        # Databricks Asset Bundles SAT Installation
+├── configs/                     # Configuration files
+├── dashboards/                  # AI/BI dashboard
+└── docs/                        # Documentation site
+```
+
+## Development Setup
+
+### Prerequisites
+
+- Python 3.8 or higher
+- Access to a Databricks workspace (for testing)
+- Git
+
+### Local Setup
+
+1. **Clone the repository**:
+```bash
+git clone https://github.com/databricks-industry-solutions/security-analysis-tool.git
+cd security-analysis-tool
+```
+
+2. **Set up Python environment**:
+```bash
+python -m venv .venv
+source .venv/bin/activate  # On Windows: .venv\Scripts\activate
+
+# Install SDK in development mode
+cd src/securityanalysistoolproject
+pip install -e .
+```
+
+3. **Install development dependencies**:
+```bash
+pip install pytest
+```
+
+## How to Contribute
+
+### Types of Contributions
+
+We welcome:
+
+1. **Bug Fixes** - Fix issues in existing code
+2. **New Features** - Add new security checks or analysis capabilities
+3. **Documentation** - Improve or add documentation
+4. **Testing** - Add or improve test coverage
+
+### Reporting Bugs
+
+When reporting bugs, please include:
+
+- Clear description of what happened vs. what you expected
+- Steps to reproduce the issue
+- Environment details (Databricks runtime, cloud provider, SAT version)
+- Error messages and stack traces
+- Screenshots if applicable
+
+**Security vulnerabilities** should be reported to `bugbounty@databricks.com` (see [SECURITY.md](SECURITY.md))
+
+### Suggesting Features
+
+When suggesting features, explain:
+
+- The use case and why it would be useful
+- How you envision it working
+- Who would benefit from it
+
+## Pull Request Process
+
+### Branch Naming
+
+Use descriptive branch names:
+- `feature/add-azure-security-check`
+- `bugfix/fix-aws-credential-scan`
+- `docs/update-installation-guide`
+
+### Submitting a Pull Request
+
+1. **Fork the repository** and create your branch from `main`:
+```bash
+git checkout -b feature/your-feature-name
+```
+
+2. **Make your changes**:
+   - Write clear, readable code
+   - Add tests for new functionality
+   - Update documentation as needed
+
+3. **Commit your changes**:
+```bash
+git commit -m "Add new Azure security check for Key Vault
+
+- Added check for Key Vault soft delete
+- Added unit tests
+- Updated documentation"
+```
+
+4. **Push to your fork** and open a Pull Request with a clear description
+
+### Commit Message Format
+
+Use clear, descriptive commit messages:
+
+- `feat: add new feature`
+- `fix: resolve bug`
+- `docs: update documentation`
+- `test: add tests`
+
+### Pull Request Review
+
+- At least one maintainer must approve the PR
+- All tests must pass
+- Documentation must be updated if needed
+
+## Testing
+
+Run tests before submitting:
+
+```bash
+cd src/securityanalysistoolproject
+pytest
+```
+
+## Documentation
+
+### Updating Documentation
+
+When making changes:
+
+1. Update inline documentation (docstrings)
+2. Update user-facing docs in `docs/sat/docs/` if needed
+3. Update README if necessary
+4. Update CHANGELOG.md
+
+### Preview Documentation
+
+```bash
+cd docs/sat
+npm install
+npm start
+```
+
+## Versioning
+
+SAT follows **Semantic Versioning** (SemVer): `MAJOR.MINOR.PATCH`
+
+- **MAJOR**: Incompatible API changes
+- **MINOR**: New features (backward-compatible)
+- **PATCH**: Bug fixes (backward-compatible)
+
+See [VERSIONING.md](VERSIONING.md) for detailed guidelines.
+
+### Branch Strategy
+
+- `main`: Stable production releases
+- `release/x.x.x`: Release preparation branches
+- `feature/*`: New features
+- `bugfix/*`: Bug fixes
+
+## Code Style
+
+- Follow PEP 8 conventions
+- Use meaningful variable and function names
+- Add docstrings to public functions
+- Handle errors appropriately
+- Don't commit sensitive data (credentials, tokens, etc.)
+
+## License and CLA
+
+By contributing to this project, you agree to the Contributor License Agreement (CLA). All pull requests require CLA acceptance before merging.
+
+This project is licensed under the Databricks License. See [LICENSE](LICENSE) for details.
+
+## Getting Help
+
+- **Documentation**: https://databricks-industry-solutions.github.io/security-analysis-tool/
+- **GitHub Issues**: For bug reports and feature requests
+- **Security Issues**: bugbounty@databricks.com
+
+## Recognition
+
+Contributors are recognized in release notes and CHANGELOG.md.
+
+Thank you for contributing to SAT! 🔒