-
-
Notifications
You must be signed in to change notification settings - Fork 6.1k
1244 lines (1179 loc) · 59.9 KB
/
Copy pathsecurity-audit.yml
File metadata and controls
1244 lines (1179 loc) · 59.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# SPDX-License-Identifier: AGPL-3.0-only
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
# Multi-language supply-chain audit. Triggers:
# - PRs touching any dependency manifest (Python / npm / Cargo) or
# this workflow file,
# - push to main / pip,
# - nightly @ 04:13 UTC so newly-published advisories surface even
# when no PR opens,
# - workflow_dispatch for ad-hoc invocations.
#
# Two jobs:
# - advisory-audit: one runner that runs pip-audit + npm audit +
# cargo audit back-to-back. All three are
# advisory-DB lookups -- fast, lockfile-driven,
# no archive download. Setting up the python /
# node / rust toolchains on one runner and
# running the three commands serially is
# cheaper than spinning up three runners.
# - pip-scan-packages: 3-shard matrix that downloads + pattern-scans
# every PyPI archive in the transitive closure.
# This is the expensive job (~6 min/shard,
# running in parallel) and it must stay
# independent so a CVE-DB hit in advisory-audit
# does not block the supply-chain pattern scan
# (or vice versa).
#
# All steps are non-blocking initially. The default branch already
# carries a known-vuln backlog (the dependabot banner shows 17 today,
# pip-audit catches 2 more, npm/cargo will catch their own); a hard
# gate now would block every PR on a baseline we have not triaged.
# As each baseline closes, drop continue-on-error per step.
#
# Dependency coverage:
# - unsloth core (pyproject.toml [project.dependencies])
# - unsloth `huggingfacenotorch` extras (the canonical install path
# for fine-tuning users; pulls transformers / peft / accelerate /
# trl / datasets / diffusers / sentence-transformers / etc.)
# - all six Studio backend requirements files
# - Studio frontend (npm) and Tauri shell (cargo)
# Each Python step builds a filtered dep list from pyproject.toml +
# requirements/*.txt before auditing. We do NOT install any of these
# -- pip-audit resolves through PyPI metadata, scan_packages.py
# downloads sdist/wheel archives and inspects them without running
# install hooks, so an attacker who has compromised a transitive dep
# cannot execute code in this workflow.
name: Security audit
on:
pull_request:
paths:
- 'studio/backend/requirements/**'
- 'studio/frontend/package.json'
- 'studio/frontend/package-lock.json'
- 'studio/src-tauri/Cargo.toml'
- 'studio/src-tauri/Cargo.lock'
- 'pyproject.toml'
- 'scripts/scan_packages.py'
- 'scripts/scan_npm_packages.py'
- '.github/workflows/security-audit.yml'
push:
branches: [main, pip]
schedule:
- cron: '13 4 * * *' # 04:13 UTC daily, off the cron rush
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
# ──────────────────────────────────────────────────────────────────────
# Network-resilience knobs, applied to every job/step. These add retries
# and backoff ONLY; they do not relax a single integrity check. cargo
# still resolves against Cargo.lock (--locked), pip still verifies the
# wheels it downloads, npm still enforces package-lock integrity, the
# harden-runner egress allowlists below are unchanged, and every action
# stays SHA-pinned. The advisory-audit run on 2026-05-29 red-failed when
# one crates.io tarball fetch hit "Recv failure: Connection reset by
# peer" (curl 56); cargo's default of 3 retries over an HTTP/2-multiplexed
# connection did not recover. The settings below make that class of
# transient fault self-heal instead of failing the whole run.
env:
# pip: raise the built-in retry count and per-connection timeout.
PIP_RETRIES: "10"
PIP_DEFAULT_TIMEOUT: "60"
# cargo: retry network ops and disable HTTP/2 multiplexing -- the
# documented mitigation for the curl-56 connection resets above.
CARGO_NET_RETRY: "10"
CARGO_HTTP_MULTIPLEXING: "false"
CARGO_NET_GIT_FETCH_WITH_CLI: "true"
# npm: retry registry fetches with capped exponential backoff.
NPM_CONFIG_FETCH_RETRIES: "5"
NPM_CONFIG_FETCH_RETRY_MINTIMEOUT: "2000"
NPM_CONFIG_FETCH_RETRY_MAXTIMEOUT: "60000"
jobs:
# ─────────────────────────────────────────────────────────────────────
# Combined advisory-DB audit: pip-audit + npm audit + cargo audit
# all on one runner. Each step is continue-on-error so a finding in
# one toolchain does not suppress the others.
# ─────────────────────────────────────────────────────────────────────
advisory-audit:
name: advisory audit (pip + npm + cargo)
runs-on: ubuntu-latest
timeout-minutes: 25
steps:
# step-security/harden-runner installs an eBPF-based egress
# firewall on the runner. In `audit` mode it logs every outbound
# connection without blocking; in `block` mode it rejects
# anything outside `allowed-endpoints`. We run audit-only
# initially: the next time this job hits a real PyPI advisory or
# an attacker-funded archive in pip-scan-packages, the audit log
# tells us exactly which hosts were dialed and we promote the
# allowlist to block. Would have *contained* the litellm exfil
# even if scan_packages had missed the .pth payload.
# SHA-pinned (not @v2): the litellm 1.82.7 attack chain hijacked
# mutable tags on aquasecurity/trivy-action and would have hit
# anyone using @v0 / @v2 / @latest references. Pinning to a 40-
# char SHA freezes this action at known-good code; Dependabot's
# github-actions ecosystem will auto-bump the SHA.
# v2.19.1 commit:
# Per-job allowlist: advisory-audit hits PyPI, npm registry,
# crates.io advisories, GitHub release artefacts (osv-scanner
# binary), Semgrep registry, and TruffleHog's own GitHub action.
- name: Harden runner (egress block)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
disable-sudo: true
allowed-endpoints: >
api.github.com:443
github.com:443
codeload.github.com:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
release-assets.githubusercontent.com:443
registry.npmjs.org:443
pypi.org:443
files.pythonhosted.org:443
static.rust-lang.org:443
index.crates.io:443
static.crates.io:443
crates.io:443
semgrep.dev:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# Full history so TruffleHog can diff base..head; without
# this it sees only the latest commit and reports nothing.
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.12'
cache: 'pip'
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22'
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @ 2026-03-27
- uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
workspaces: studio/src-tauri -> target
- name: Install pip-audit + cargo-audit
# cargo-audit pulls advisories from the RustSec advisory-db on
# first run and caches them under ~/.cargo/advisory-db. Pin
# --locked so the version we install matches Cargo.lock
# determinism. cargo-audit 0.22 supports the CVSS 4.0 schema
# used in 2026 advisories (e.g. RUSTSEC-2026-0073); 0.21
# crashes with a TOML parse error on that file.
# npm audit is bundled with the node toolchain, no install.
run: |
retry() { # retry <max-attempts> <command...> with exponential backoff
local max="$1"; shift
local n=1 delay=5
until "$@"; do
if [ "$n" -ge "$max" ]; then
echo "::error::command failed after ${n} attempts: $*" >&2
return 1
fi
echo "attempt ${n}/${max} failed; retrying in ${delay}s: $*" >&2
sleep "$delay"; n=$((n + 1)); delay=$((delay * 2))
done
}
retry 5 python -m pip install --upgrade pip 'pip-audit>=2.7'
# --locked keeps the resolved tree identical to Cargo.lock; the
# CARGO_NET_* env above plus this outer loop survive transient
# crates.io connection resets without weakening that guarantee.
retry 5 cargo install --locked --version '^0.22' cargo-audit
# ─────────────────────────────────────────────────────────────
# Python: pip-audit
# ─────────────────────────────────────────────────────────────
- name: Build filtered Python requirements set
# Two transforms:
# (1) Generate audit-reqs/unsloth-deps.txt from pyproject.toml
# so pip-audit sees the unsloth pip package's own dep set
# (core + huggingfacenotorch extras: transformers / peft /
# accelerate / trl / datasets / diffusers /
# sentence-transformers / huggingface_hub / hf_transfer /
# etc.).
# (2) Copy each studio/backend/requirements/*.txt into
# audit-reqs/ with `git+` lines stripped. pip-audit's `-r`
# mode does a dry-run resolve against PyPI metadata; a
# `git+https://...` spec forces it to clone, which is
# both slow and outside the threat model (we audit
# PyPI-served archives; a git ref is whatever HEAD says
# on the runner). A comment line is left in place so the
# skipped specs are obvious in the artifact.
# The `huggingface` extra is `huggingfacenotorch` plus torch /
# torchvision / triton, deliberately skipped: Studio backend
# already pins a torch and the +cu* / +cpu local-version tags
# trip up the PyPI resolver in `-r` mode.
run: |
mkdir -p audit-reqs
python <<'PY' > audit-reqs/unsloth-deps.txt
import tomllib
with open("pyproject.toml", "rb") as f:
d = tomllib.load(f)
core = d["project"]["dependencies"]
extras = d["project"]["optional-dependencies"]["huggingfacenotorch"]
print("# Auto-generated from pyproject.toml by security-audit.yml.")
print("# core deps + huggingfacenotorch extras.")
for spec in core + extras:
print(spec)
PY
for f in studio.txt extras.txt extras-no-deps.txt \
no-torch-runtime.txt overrides.txt triton-kernels.txt; do
python <<PY > "audit-reqs/$f"
src = "studio/backend/requirements/$f"
with open(src) as fh:
for line in fh:
stripped = line.strip()
before_comment = stripped.split("#", 1)[0]
if "git+" in before_comment:
print(f"# [security-audit] skipped git+ spec: {stripped}")
continue
print(line.rstrip("\n"))
PY
done
- name: pip-audit (declared Python deps, no install)
# `-r requirements.txt` resolves the requirements through pip's
# dependency resolver against PyPI metadata and audits the
# resolved tree without ever executing setup.py / install
# hooks. Way faster than installing the full Studio runtime
# and -- critically -- safer: an attacker who has compromised
# a transitive dep cannot run code in this job.
#
# extras.txt + extras-no-deps.txt have legacy setup.py
# packages (notably openai-whisper) whose setup.py imports
# `pkg_resources`, which the isolated build env's current
# setuptools no longer ships. PIP_CONSTRAINT pins an older
# setuptools into the build env so those builds resolve.
# Per-file loop so one bad file doesn't take out the whole
# audit.
continue-on-error: true
env:
PIP_CONSTRAINT: ${{ github.workspace }}/audit-reqs/build-constraints.txt
run: |
set +e
cat > audit-reqs/build-constraints.txt <<'CONSTRAINTS'
setuptools<78
wheel
CONSTRAINTS
: > logs-pip-audit.txt
for f in unsloth-deps studio extras extras-no-deps \
no-torch-runtime overrides triton-kernels; do
if ! grep -qE '^[^#[:space:]]' "audit-reqs/$f.txt"; then
echo "[security-audit] $f.txt has no PyPI specs after git+ filter, skipping" \
| tee -a logs-pip-audit.txt
continue
fi
echo "::group::pip-audit -r audit-reqs/$f.txt"
{
echo
echo "=== $f ==="
pip-audit -r "audit-reqs/$f.txt" --format=columns
echo "=== end $f (rc=$?) ==="
} 2>&1 | tee -a logs-pip-audit.txt
echo "::endgroup::"
done
{
echo "## pip-audit (Python)"
echo
echo '### Coverage'
echo '- unsloth core + `huggingfacenotorch` extras (pyproject.toml)'
echo '- studio/backend/requirements/{studio,extras,extras-no-deps,no-torch-runtime,overrides,triton-kernels}.txt'
echo '- `git+` specs are stripped before audit (out of scope: we audit PyPI archives)'
echo
echo '### Findings'
echo '```'
cat logs-pip-audit.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# Pre-install lockfile supply-chain audit (npm + cargo).
# Catches structural anomalies (non-registry resolved URLs,
# missing integrity hashes, known IOC strings) BEFORE `npm
# audit` or OSV-Scanner consult the advisory DB. The advisory
# path is reactive -- there is a window between a malicious
# publication and the GHSA landing. This step fires on the
# injection pattern itself so it catches the same class of
# attack the moment the lockfile shape becomes wrong.
# ─────────────────────────────────────────────────────────────
- name: Lockfile supply-chain audit (pre-install scan)
run: |
python3 scripts/lockfile_supply_chain_audit.py
{
echo "## Lockfile supply-chain audit"
echo
echo "Scanned: studio/frontend/package-lock.json + studio/src-tauri/Cargo.lock"
echo
echo "No structural anomalies or known IOC strings."
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# npm: Studio frontend
# ─────────────────────────────────────────────────────────────
- name: npm audit (Studio frontend)
# `npm audit` resolves the lockfile through the npmjs.com
# advisory DB. `--audit-level=high` filters the noise floor
# to only HIGH and CRITICAL. We do NOT pass --omit=dev: a
# malicious dev-only dep can still steal secrets from a CI
# runner, so dev deps need to be in the audit surface.
continue-on-error: true
working-directory: studio/frontend
run: |
set +e
npm audit --audit-level=high | tee ../../logs-npm-audit.txt
# Always also write the full JSON for grep-ability.
npm audit --json > ../../logs-npm-audit.json || true
{
echo "## npm audit (Studio frontend)"
echo
echo '```'
tail -200 ../../logs-npm-audit.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# cargo: Studio Tauri shell
# ─────────────────────────────────────────────────────────────
- name: cargo audit (Studio Tauri)
# `--deny warnings` would make the job fail on any advisory.
# Keep non-blocking initially; drop continue-on-error after
# the baseline closes.
continue-on-error: true
working-directory: studio/src-tauri
run: |
set +e
cargo audit | tee ../../logs-cargo-audit.txt
{
echo "## cargo audit (Studio Tauri)"
echo
echo '```'
tail -200 ../../logs-cargo-audit.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# OSV-Scanner: cross-ecosystem advisory DB (PyPI + npm + cargo)
# ─────────────────────────────────────────────────────────────
- name: Download + verify OSV-Scanner
# Split out from the scan below so binary integrity is a HARD gate:
# a checksum mismatch (swapped release asset, the Trivy-style pivot
# this workflow refuses) fails the job instead of being swallowed by
# the scan step's continue-on-error. A download still failing after
# retries is transient, so we skip the scan rather than red-fail.
# SHA-256 verified BEFORE chmod +x / exec. Bump OSV_SHA256 in lockstep
# with OSV_VERSION (value from the release's osv-scanner_SHA256SUMS).
run: |
set -euo pipefail
OSV_VERSION="v2.0.2"
OSV_SHA256="3abcfd7126c453a00421487e721b296e0cb68085bd431d6cef60872774170fc8"
if ! curl --proto '=https' --tlsv1.2 -fsSL \
--retry 5 --retry-delay 3 --retry-connrefused --retry-all-errors \
-o /tmp/osv-scanner \
"https://github.com/google/osv-scanner/releases/download/${OSV_VERSION}/osv-scanner_linux_amd64"; then
echo "::warning::osv-scanner download failed after retries; skipping scan" >&2
rm -f /tmp/osv-scanner
exit 0 # transient availability: do not red-fail the job
fi
if ! echo "${OSV_SHA256} /tmp/osv-scanner" | sha256sum -c -; then
echo "::error::osv-scanner checksum mismatch; refusing to execute" >&2
rm -f /tmp/osv-scanner
exit 1 # integrity failure: hard-fail
fi
chmod +x /tmp/osv-scanner
/tmp/osv-scanner --version
- name: OSV-Scanner (PyPI + npm + cargo, cross-ecosystem advisories)
# OSV's advisory feed is a superset of GitHub-Advisory + RustSec
# + npm advisories; running it alongside the per-ecosystem audit
# tools catches CVEs that haven't propagated to the per-ecosystem
# DBs yet (e.g. langchain-core CVE-2025-68664 was on OSV before
# GitHub Advisory). Single binary, one transitive resolver, all
# three lockfile types in one pass. Binary is checksum-verified in
# the step above; only the advisory scan stays non-blocking until
# baselines close.
continue-on-error: true
run: |
set +e
if [ ! -x /tmp/osv-scanner ]; then
echo "osv-scanner unavailable this run; skipping scan" | tee logs-osv-scanner.txt
else
/tmp/osv-scanner scan source \
--lockfile=studio/frontend/package-lock.json \
--lockfile=studio/src-tauri/Cargo.lock \
--lockfile=requirements.txt:audit-reqs/unsloth-deps.txt \
--lockfile=requirements.txt:audit-reqs/studio.txt \
--lockfile=requirements.txt:audit-reqs/no-torch-runtime.txt \
--lockfile=requirements.txt:audit-reqs/overrides.txt \
--lockfile=requirements.txt:audit-reqs/extras.txt \
--lockfile=requirements.txt:audit-reqs/extras-no-deps.txt \
--format=table 2>&1 | tee logs-osv-scanner.txt
fi
{
echo "## OSV-Scanner (cross-ecosystem)"
echo
echo '```'
tail -200 logs-osv-scanner.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# Semgrep: design-flaw detection (catches what regex-pattern
# scanning of malicious authors cannot, e.g. first-party logic bugs
# like langchain-core CVE-2025-68664 dumps/dumpd injection,
# n8n CVE-2025-68668 _pyodide.eval_code sandbox escape, marimo
# CVE-2026-39987 unauth WebSocket).
# ─────────────────────────────────────────────────────────────
- name: Semgrep (supply-chain + python rule packs)
continue-on-error: true
run: |
set +e
python -m pip install --quiet 'semgrep>=1.95'
semgrep --version
semgrep scan \
--config p/supply-chain \
--config p/python \
--config p/javascript \
--config p/security-audit \
--severity ERROR --severity WARNING \
--metrics off \
--timeout 120 \
studio/backend unsloth scripts \
2>&1 | tee logs-semgrep.txt
{
echo "## Semgrep (supply-chain + python + javascript rules)"
echo
echo '```'
tail -200 logs-semgrep.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# Lockfile pin verifier. The litellm 1.82.7 attack window was
# ~40 minutes; anyone resolving with `>=` got the malicious
# version automatically. Flag every spec in the requirements
# files that does not pin to an exact `==` (or `@` for git
# refs, or `===` for arbitrary equality). Warning-only for now;
# graduate to blocking once the baseline is clean.
# ─────────────────────────────────────────────────────────────
- name: Lockfile pin verifier (Python requirements)
continue-on-error: true
run: |
python <<'PY' | tee logs-pin-verifier.txt
import re
from pathlib import Path
# Specs that look like `pkg==1.2.3` or `pkg @ git+...` or
# bare comments / -r lines are pinned-or-not-applicable.
PINNED = re.compile(r"^\s*[A-Za-z0-9_.\-]+\s*(?:===|==)\s*[^,;]+\s*$")
GIT_OR_URL = re.compile(r"^\s*[A-Za-z0-9_.\-]+\s*@\s*(?:git\+|https?://)")
unpinned = []
for f in sorted(Path("studio/backend/requirements").glob("*.txt")):
for i, raw in enumerate(f.read_text().splitlines(), 1):
line = raw.strip()
if not line or line.startswith("#") or line.startswith("-"):
continue
spec = line.split("#", 1)[0].strip().split(";", 1)[0].strip()
if not spec:
continue
if "git+" in spec or PINNED.match(spec) or GIT_OR_URL.match(spec):
continue
unpinned.append((str(f), i, line))
print(f"::group::Lockfile pin status")
if unpinned:
print(f"WARN: {len(unpinned)} non-`==` specs across requirements/*.txt")
print("(litellm 1.82.7 wave hit anyone on `>=`; tighten when feasible.)")
for f, i, line in unpinned[:80]:
print(f" {f}:{i}: {line}")
if len(unpinned) > 80:
print(f" ... and {len(unpinned) - 80} more")
else:
print("OK: every spec is exact-pinned.")
print("::endgroup::")
PY
{
echo "## Lockfile pin verifier"
echo
echo '```'
cat logs-pin-verifier.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# Trivy is deliberately NOT installed here. Trivy was the entry
# point for the litellm 1.82.7 supply-chain compromise (March
# 2026): attackers force-rewrote 76 of 77 tags in
# aquasecurity/trivy-action to point at malicious commits;
# anyone running the action with a tag ref auto-pulled a
# credential-harvesting payload. By design a security scanner
# has broad read access to runner secrets, which is exactly
# what made it the ideal pivot. We pick up Trivy's CVE coverage
# from OSV-Scanner (NVD + GHSA + GitLab) and its secret
# detection from TruffleHog. IaC misconfig detection (Trivy's
# one unique value-add) is unfilled for now -- revisit with
# checkov / kics when we ship a Dockerfile or k8s manifests.
# See https://docs.litellm.ai/blog/security-update-march-2026
# and the Microsoft / Trend Micro / Snyk incident write-ups.
# ─────────────────────────────────────────────────────────────
# ─────────────────────────────────────────────────────────────
# TruffleHog secret-leak scan on the PR diff. Catches API keys
# / tokens / cred files committed accidentally. --only-verified
# filters out probabilistic findings, so we only flag tokens
# that the source provider confirmed are live. On push to main
# / pip we scan the full repo; on PR we scan base..head.
# SHA-pinned for the same reason as harden-runner above.
# v3.95.2 commit:
# ─────────────────────────────────────────────────────────────
- name: TruffleHog (secrets in diff)
continue-on-error: true
uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
with:
path: ./
base: ${{ github.event.pull_request.base.sha || '' }}
head: ${{ github.event.pull_request.head.sha || github.sha }}
# The action passes --no-update internally; passing it here
# too triggers `flag 'no-update' cannot be repeated`. Stick
# with --only-verified so we only flag tokens the source
# provider confirmed are live (no probabilistic findings).
extra_args: --only-verified
# ─────────────────────────────────────────────────────────────
# CycloneDX SBOM. Lets downstream consumers audit what's
# actually shipped in unsloth wheels and the Studio backend
# runtime. Generates one JSON file per requirements input plus
# a combined SBOM keyed off pyproject.toml; uploads as a build
# artifact (and a future step can attest it via SLSA).
# ─────────────────────────────────────────────────────────────
- name: Generate CycloneDX SBOM
continue-on-error: true
run: |
set +e
python -m pip install --quiet 'cyclonedx-bom>=4.6'
mkdir -p sbom
# Per-requirements-file SBOM (the audit-reqs/ files are the
# filtered, git+-stripped views built earlier in this job).
# cyclonedx-py 4.x uses `--sv` for spec version and `-o` for
# the output file; the older `--schema-version`/`--outfile`
# spellings are not accepted.
for f in audit-reqs/*.txt; do
base=$(basename "$f" .txt)
if grep -qE '^[^#[:space:]]' "$f"; then
cyclonedx-py requirements "$f" \
--sv 1.6 \
--of JSON \
-o "sbom/sbom-$base.json" 2>&1 | tail -5 || true
fi
done
# Project-level SBOM from pyproject.toml.
cyclonedx-py environment \
--sv 1.6 \
--of JSON \
-o sbom/sbom-environment.json 2>&1 | tail -5 || true
ls -la sbom/
{
echo "## CycloneDX SBOM"
echo
echo "Generated SBOM files:"
ls sbom/ | sed 's/^/- sbom\//'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# GitHub Actions pinning verifier. tj-actions/changed-files
# was compromised in March 2025; anyone using `@v4` (a mutable
# ref) auto-shipped the malicious version. Catch every
# non-SHA-pinned `uses:` across the workflows tree. Warn-only
# initially so the existing baseline doesn't block PRs.
# ─────────────────────────────────────────────────────────────
- name: GitHub Actions pinning verifier
continue-on-error: true
run: |
python <<'PY' | tee logs-actions-pinning.txt
import re
from pathlib import Path
# SHA pin = 40 hex chars after @
SHA_PIN = re.compile(r"@[0-9a-f]{40}\b")
# First-party / GitHub-published actions get a softer pass
# (still recommended to pin; not a security gate).
FIRST_PARTY = re.compile(r"^\s*-\s*uses:\s*(actions|github)/[^@]+@")
USES = re.compile(r"^\s*-\s*uses:\s*([^@\s]+)@(\S+)")
unpinned_third = []
unpinned_first = []
for f in sorted(Path(".github/workflows").glob("*.yml")):
for i, line in enumerate(f.read_text().splitlines(), 1):
m = USES.match(line)
if not m:
continue
name, ref = m.group(1), m.group(2)
if SHA_PIN.search(line):
continue
bucket = unpinned_first if FIRST_PARTY.match(line) else unpinned_third
bucket.append((str(f), i, name, ref))
print("::group::Action pinning status")
print(f"third-party actions on mutable refs: {len(unpinned_third)}")
for f, i, n, r in unpinned_third:
print(f" HIGH {f}:{i}: {n}@{r}")
print()
print(f"first-party (actions/* | github/*) on mutable refs: {len(unpinned_first)}")
for f, i, n, r in unpinned_first[:30]:
print(f" WARN {f}:{i}: {n}@{r}")
if len(unpinned_first) > 30:
print(f" ... and {len(unpinned_first) - 30} more")
print()
print("Recommendation: pin third-party actions to a 40-char SHA.")
print("Dependabot's github-actions ecosystem will auto-bump them.")
print("::endgroup::")
PY
{
echo "## GitHub Actions pinning verifier"
echo
echo '```'
cat logs-actions-pinning.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# ─────────────────────────────────────────────────────────────
# Hash-pin verifier. `==` pinning protects against version
# drift but not against a re-uploaded malicious wheel at the
# same version (PyPI lets a yanked release be re-published with
# different bytes for ~5 minutes via `--filename` collision).
# `pip install --require-hashes` rejects any download whose
# SHA-256 doesn't match. Inspector step that reports how many
# specs would gain from a hash pin -- conversion is a roadmap
# item (needs pip-tools / uv pip compile --generate-hashes).
# ─────────────────────────────────────────────────────────────
- name: Hash-pin verifier (Python requirements)
continue-on-error: true
run: |
python <<'PY' | tee logs-hash-verifier.txt
import re
from pathlib import Path
PINNED = re.compile(r"^\s*[A-Za-z0-9_.\-]+\s*==\s*[^,;]+\s*$")
HASH_LINE = re.compile(r"--hash=sha256:[0-9a-f]{64}")
total_pinned = 0
with_hash = 0
for f in sorted(Path("studio/backend/requirements").glob("*.txt")):
text = f.read_text()
for raw in text.splitlines():
line = raw.strip()
if not line or line.startswith("#") or line.startswith("-"):
continue
spec = line.split("#", 1)[0].strip().split(";", 1)[0]
if PINNED.match(spec):
total_pinned += 1
if HASH_LINE.search(raw):
with_hash += 1
print(f"::group::Hash-pin status")
print(f" exact == pins: {total_pinned}")
print(f" with --hash=sha256: {with_hash}")
print(f" without --hash: {total_pinned - with_hash}")
print()
print("Roadmap: convert to hash-locked installs via")
print("`uv pip compile --generate-hashes` and `pip install --require-hashes`.")
print("Hash-locked installs would have refused a republished")
print("malicious litellm 1.82.7 wheel even at the same version.")
print("::endgroup::")
PY
{
echo "## Hash-pin verifier"
echo
echo '```'
cat logs-hash-verifier.txt
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: always()
with:
name: advisory-audit-logs
path: |
logs-pip-audit.txt
logs-npm-audit.txt
logs-npm-audit.json
logs-cargo-audit.txt
logs-osv-scanner.txt
logs-semgrep.txt
logs-pin-verifier.txt
logs-actions-pinning.txt
logs-hash-verifier.txt
audit-reqs/
sbom/
retention-days: 30
# ─────────────────────────────────────────────────────────────────────
# Python: pre-install package scan (no install, no execution)
# ─────────────────────────────────────────────────────────────────────
pip-scan-packages:
# Downloads each declared dep WITHOUT installing it and inspects
# the archive contents for known malicious patterns: weaponized
# .pth files, credential stealers, obfuscated payloads,
# install-time droppers, suspicious subprocess / network /
# base64-blob combinations.
#
# This is the kind of check that would have caught:
# - litellm 1.82.7 / 1.82.8 (March 2026, supply-chain compromise)
# - the typo-squat campaign against PyTorch Lightning
# before either landed in the install path. pip-audit only knows
# about CVE-published vulnerabilities, so it does NOT see novel
# malicious uploads. scan_packages.py runs deterministic regex
# pattern matching, no LLM calls.
#
# `--with-deps` makes the scan transitive: every package the
# declared set resolves to gets fetched and pattern-scanned, not
# just the top-level pins. Resolving the full transitive closure
# of the unsloth + Studio dep tree downloads several hundred
# archives, hence the longer timeout.
#
# Sharded across runners for wall-clock parallelism. Each shard
# runs scan_packages.py once with --with-deps so its own slice
# benefits from pip's deduped transitive resolve. Shard
# composition tries to balance load:
# - hf-stack: pyproject extras + no-torch-runtime
# (~150 archives, transformers/peft/accelerate/...)
# - studio: FastAPI/Studio backend + overrides + extras-no-deps
# (~150 archives, smaller scientific stack)
# - extras: the heavy openai-whisper / scikit-learn / librosa
# stack (~250 archives, dominant cost)
# triton-kernels.txt is git+-only, fully skipped.
name: ${{ matrix.shard.name }}
runs-on: ubuntu-latest
timeout-minutes: 25
strategy:
fail-fast: false
matrix:
shard:
- name: 'pip scan-packages :: hf-stack'
id: hf-stack
files: 'unsloth-deps no-torch-runtime'
- name: 'pip scan-packages :: studio'
id: studio
files: 'studio overrides extras-no-deps'
- name: 'pip scan-packages :: extras'
id: extras
files: 'extras'
steps:
# Egress block on every shard. Each shard pulls hundreds of
# PyPI archives -- if a malicious wheel ever phones home from
# within the scanner sandbox (it shouldn't; we never execute
# the archive), harden-runner now rejects the connect outright.
# Per-job allowlist: pip-scan-packages only fetches PyPI archives
# via scan_packages.py + pip download. No npm or cargo traffic.
- name: Harden runner (egress block)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
disable-sudo: true
allowed-endpoints: >
api.github.com:443
github.com:443
codeload.github.com:443
objects.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.12'
cache: 'pip'
- name: Install scan_packages.py runtime deps
# scan_packages.py imports requests + packaging at runtime to
# talk to PyPI's JSON API and to parse version specifiers. We
# do not install the packages it scans -- those are downloaded
# raw and inspected without ever touching `pip install`.
run: python -m pip install --upgrade pip requests packaging
- name: Build filtered requirements set
# Mirrors the advisory-audit job's input transform: pyproject.toml
# extraction + git+ stripping. scan_packages.py downloads
# PyPI archives without building, so it tolerates legacy
# setup.py packages (no resolver dry-run); but `--with-deps`
# delegates resolution to a single `pip download` call that
# cannot satisfy `git+` specs without git operations, so we
# strip them here too.
run: |
mkdir -p audit-reqs
python <<'PY' > audit-reqs/unsloth-deps.txt
import tomllib
with open("pyproject.toml", "rb") as f:
d = tomllib.load(f)
core = d["project"]["dependencies"]
extras = d["project"]["optional-dependencies"]["huggingfacenotorch"]
print("# Auto-generated from pyproject.toml by security-audit.yml.")
print("# core deps + huggingfacenotorch extras.")
for spec in core + extras:
print(spec)
PY
for f in studio.txt extras.txt extras-no-deps.txt \
no-torch-runtime.txt overrides.txt triton-kernels.txt; do
python <<PY > "audit-reqs/$f"
src = "studio/backend/requirements/$f"
with open(src) as fh:
for line in fh:
stripped = line.strip()
before_comment = stripped.split("#", 1)[0]
if "git+" in before_comment:
print(f"# [security-audit] skipped git+ spec: {stripped}")
continue
print(line.rstrip("\n"))
PY
done
- name: Sanity-check scan_packages.py
# The scanner lives at scripts/scan_packages.py in this repo
# so we don't depend on a network fetch at job time.
run: |
test -f scripts/scan_packages.py
head -3 scripts/scan_packages.py
grep -q "Standalone pre-install package scanner" scripts/scan_packages.py
- name: Scan declared + transitive Python deps
# scan_packages.py exits 1 on NON-baselined CRITICAL/HIGH
# findings, 0 otherwise. It scans code-only (docstrings and
# comments are blanked first) and suppresses reviewed
# known-good findings via scripts/scan_packages_baseline.json,
# so legitimate-library noise no longer red-fails the gate.
# The step stays advisory until SCAN_ENFORCE=1 (see env below);
# then PIPESTATUS propagates the scanner's exit code.
#
# `--with-deps` walks PyPI metadata to enumerate every
# transitive dep the declared set would install, then scans
# them all. Without this flag, we'd only catch a malicious
# *direct* dep -- and supply-chain attacks usually land
# several hops down (litellm 1.82.7 was a dep of a dep for
# most users).
#
# This step runs once per matrix shard. Within a shard, every
# -r file is fed to a single `pip download` call so pip
# intersects version constraints and yields a deduped
# transitive set (no point fetching the same transformers
# wheel five times). Across shards we accept some redundant
# downloads in exchange for wall-clock parallelism.
env:
SHARD_FILES: ${{ matrix.shard.files }}
# Enforcement switch. "1" = blocking: a non-baselined CRITICAL/HIGH
# fails the build. scan_packages.py scans code-only (docstrings/comments
# stripped), fetches sdist-only packages directly from PyPI (no build)
# so every shard resolves, and honors the reviewed allowlist at
# scripts/scan_packages_baseline.json, so only NON-baselined
# CRITICAL/HIGH cause its exit 1. The committed baseline makes all three
# shards exit 0 today; set this back to "0" to return to advisory.
SCAN_ENFORCE: "1"
run: |
set +e
mkdir -p logs
LOG="logs-scan-packages-${{ matrix.shard.id }}.txt"
echo "::group::shard ${{ matrix.shard.id }} input files"
REQ_ARGS=()
for f in $SHARD_FILES; do
if grep -qE '^[^#[:space:]]' "audit-reqs/$f.txt"; then
echo " + audit-reqs/$f.txt"
REQ_ARGS+=( -r "audit-reqs/$f.txt" )
else
echo " - audit-reqs/$f.txt (empty after git+ filter, skipping)"
fi
done
echo "::endgroup::"
rc=0
if [ ${#REQ_ARGS[@]} -eq 0 ]; then
echo "[security-audit] shard ${{ matrix.shard.id }}: no PyPI specs, nothing to scan" \
| tee "$LOG"
else
python scripts/scan_packages.py --with-deps "${REQ_ARGS[@]}" \
2>&1 | tee "$LOG"
rc=${PIPESTATUS[0]}
fi
{
echo "## scan_packages :: shard ${{ matrix.shard.id }}"
echo
echo "### Files in this shard"
for f in $SHARD_FILES; do echo "- audit-reqs/$f.txt"; done
echo
echo "scan_packages.py exit code: $rc (enforce=$SCAN_ENFORCE)"
echo
echo '### Findings (tail)'
echo '```'
tail -200 "$LOG"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# Advisory by default; blocking once SCAN_ENFORCE=1 and the baseline
# is committed. PIPESTATUS is captured above so `tee` does not mask the
# scanner's exit code.
if [ "$SCAN_ENFORCE" = "1" ]; then
exit "$rc"
fi
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: always()
with:
name: scan-packages-log-${{ matrix.shard.id }}
path: |
logs-scan-packages-${{ matrix.shard.id }}.txt
audit-reqs/
retention-days: 30
# ─────────────────────────────────────────────────────────────────────
# npm: pre-install tarball content scan.
# ─────────────────────────────────────────────────────────────────────
npm-scan-packages:
# Counterpart to pip-scan-packages for the npm side. Reads
# studio/frontend/package-lock.json, downloads each resolved
# tarball DIRECTLY from registry.npmjs.org (never via `npm
# install` -- no lifecycle scripts ever run), verifies the
# lockfile integrity hash, unpacks each tarball into a sandboxed
# temp dir behind size / count / path-escape / symlink guards,
# and pattern-scans the extracted file contents for the
# signatures common to npm supply-chain attacks:
#
# - lifecycle (preinstall / install / postinstall / prepare)
# scripts in any package.json that fetch + execute external
# code,
# - C2 / exfiltration hosts (getsession.org, AWS IMDS,
# Kubernetes ServiceAccount token paths, GitHub Actions OIDC,
# HashiCorp Vault endpoints),
# - credential-stealing references (.npmrc, .aws/credentials,
# GITHUB_TOKEN / NPM_TOKEN in JS sources),
# - known IOC filenames (router_init.js, tanstack_runner.js,
# router_runtime.js),
# - obfuscation shapes (Function/eval against base64 blobs).
#
# Threat model: every tarball is hostile. Safety guarantees are
# documented at scripts/scan_npm_packages.py top-of-file. The
# script is stdlib-only so adding it does not increase the
# transitive supply-chain surface.
name: npm scan-packages (Studio frontend tarballs)
runs-on: ubuntu-latest
timeout-minutes: 30
needs: []
steps:
# Per-job allowlist: npm-scan-packages only fetches tarballs from
# registry.npmjs.org. GitHub endpoints retained for checkout +
# setup-python action machinery.
- name: Harden runner (egress block)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
disable-sudo: true
allowed-endpoints: >
api.github.com:443
github.com:443
codeload.github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.12'
- name: Sanity-check scan_npm_packages.py
run: |
test -f scripts/scan_npm_packages.py
python3 -c "import ast; ast.parse(open('scripts/scan_npm_packages.py').read())"
- name: Scan npm tarballs (declared + transitive, no install)
# scan_npm_packages.py exits 1 on NON-baselined HIGH/CRITICAL
# findings, 0 otherwise. It scans code-only (JS/TS comments are