[Audit] S6 CI/CD: Pipeline lacks Python linting and security scanning

[mvillmow]

Audit Finding

Severity: MAJOR
Section: 6. CI/CD & Build Pipeline
Grade Impact: This finding contributes to the D- grade for this section.

Summary

The CI pipeline (.github/workflows/ci.yml) validates YAML syntax and Grafana dashboard JSON structure but completely ignores the Python source code in exporter/exporter.py. There is no Python linting (ruff, flake8, mypy), no security scanning (bandit, safety), and no SAST tooling of any kind.

Evidence

• File: .github/workflows/ci.yml lines 1-51
• Observed: CI steps: yamllint, JSON validation, docker compose config. No Python-related checks.
• Expected: At minimum: ruff check exporter/, mypy exporter/, bandit -r exporter/

Principle Violation

KISS: The exporter is the only custom code in the repository and the most likely source of bugs and security issues. Skipping it in CI while linting static config files inverts the priority of what should be checked.

Recommendation

Add CI steps for:

1. Python linting: pip install ruff && ruff check exporter/
2. Type checking: pip install mypy && mypy exporter/
3. Security scanning: pip install bandit && bandit -r exporter/
4. Consider using pixi run or just lint to keep CI aligned with local dev workflow

Impact

Python bugs (like the existing mutable default argument in gauge() and duplicate TYPE line emission) go undetected by CI. Security vulnerabilities in the exporter code are not caught before merge.

See also #6 (add tests for exporter), #9 (duplicate TYPE lines), #12 (mutable default argument).

---

Filed by HomericIntelligence ecosystem audit (repo-analyze-strict methodology)
Audit date: 2026-03-22

[mvillmow]

Implementation Plan

Now I have a complete picture. Here is the implementation plan:

---

Implementation Plan: Issue #30 — Add Python Linting and Security Scanning to CI

1. Objective

Add Python linting (ruff), type checking (mypy), and security scanning (bandit) to the CI pipeline for exporter/exporter.py, plus a separate weekly security workflow (pip-audit). Align local dev commands via pixi and just.

---

2. Approach

• Separate CI job (lint-python) parallel to the existing validate job — not a new step inside it. Isolated failure reporting, no matrix duplication.
• Bandit via .bandit INI file passed as --ini .bandit explicitly (bandit 1.9.x does not auto-discover at repo root and does not read pyproject.toml).
• -ll flag for bandit (medium+high severity only) — avoids CI noise from low-severity informational findings.
• Separate security.yml workflow with paths: filter and weekly schedule: — pip-audit and bandit run on dependency/code changes, not every PR.
• pixi lint feature with ruff, mypy, bandit, pip-audit as dependencies, and just lint recipe for local parity.
• Pre-scan exporter/ before wiring bandit into CI to surface pre-existing violations (the mutable default argument labels: dict = {} at line 45 may trigger B006).

---

3. Files to Create

File	Description
.github/workflows/lint.yml	New GitHub Actions workflow: lint-python job with ruff, mypy, bandit steps
.github/workflows/security.yml	New GitHub Actions workflow: weekly + path-triggered pip-audit + bandit scan
.bandit	Bandit INI config at repo root; passed as --ini .bandit; includes targets = exporter, recursive = true, and any pre-existing skip rationale

---

4. Files to Modify

pixi.toml

Add a [feature.lint] section:

[feature.lint.dependencies]
ruff = ">=0.4"
mypy = ">=1.10"
bandit = ">=1.9"

[feature.lint.pypi-dependencies]
pip-audit = ">=2.7"

[feature.lint.tasks]
lint     = "just lint"
typecheck = "just typecheck"
scan     = "just scan"

[environments]
lint = ["lint"]

justfile

Add three new recipes:

# Lint Python exporter with ruff
lint:
    ruff check exporter/

# Type-check Python exporter with mypy
typecheck:
    mypy exporter/

# Security scan Python exporter with bandit
scan:
    bandit -ll --ini .bandit

---

5. Implementation Order

1. Pre-scan — run bandit -ll -r exporter/ locally to identify any pre-existing violations before touching CI. Document any B006 hit from the mutable default argument.
2. Create .bandit — INI file with targets = exporter, recursive = true, and appropriate skips with comments. If B006 (mutable default argument) fires, either fix the code or add it as a skip with rationale. Given issue Exporter gauge() uses mutable default argument #12 already tracks this bug, the right call is to skip it in .bandit with a comment referencing Exporter gauge() uses mutable default argument #12, so CI isn't immediately broken.
3. Update pixi.toml — add [feature.lint] feature with ruff, mypy, bandit dependencies; add [feature.lint.pypi-dependencies] for pip-audit; add lint environment; add pixi tasks.
4. Update justfile — add lint, typecheck, scan recipes.
5. Create .github/workflows/lint.yml — parallel lint-python job with steps: install pixi, activate lint env, ruff check exporter/, mypy exporter/, bandit -ll --ini .bandit. Add concurrency: group and permissions: contents: read.
6. Create .github/workflows/security.yml — triggered on push/pull_request with paths: filter (pixi.toml, pixi.lock, **/*.py) and weekly schedule: cron. Runs pip-audit and bandit. Separate cache key pixi-lint-${{ runner.os }}-${{ hashFiles('pixi.lock') }}.
7. Verify locally — run just lint, just typecheck, just scan in the pixi lint environment before pushing.

---

6. Verification

Check	Command	Expected
ruff passes	pixi run -e lint ruff check exporter/	Zero violations
mypy passes	pixi run -e lint mypy exporter/	No type errors
bandit passes	pixi run -e lint bandit -ll --ini .bandit	No medium/high findings (or all suppressed with rationale)
pip-audit passes	pixi run -e lint pip-audit	No known CVEs
CI lint job green	Push a branch, observe lint-python job in Actions	Passes independently of validate
CI security job green	Push touching exporter/*.py, observe security workflow	Passes
Local just lint works	just lint	Runs ruff, exits 0

---

7. .bandit File Structure

[bandit]
targets = exporter
recursive = true
# B006: mutable-default-argument in gauge() — tracked for fix in issue #12
skips = B006

---

8. .github/workflows/lint.yml Skeleton

name: Lint

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

concurrency:
  group: lint-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  lint-python:
    name: Python lint & security
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - uses: actions/checkout@v4

      - name: Cache pixi lint env
        uses: actions/cache@v4
        with:
          path: ~/.pixi
          key: pixi-lint-${{ runner.os }}-${{ hashFiles('pixi.lock') }}

      - name: Install pixi
        uses: prefix-dev/setup-pixi@v0.8.1
        with:
          environments: lint

      - name: Ruff lint
        run: pixi run -e lint ruff check exporter/

      - name: Mypy type check
        run: pixi run -e lint mypy exporter/

      - name: Bandit security scan
        run: pixi run -e lint bandit -ll --ini .bandit

---

9. .github/workflows/security.yml Skeleton

name: Security

on:
  push:
    branches: ["main"]
    paths:
      - "pixi.toml"
      - "pixi.lock"
      - "pyproject.toml"
      - "exporter/**/*.py"
  pull_request:
    branches: ["main"]
    paths:
      - "pixi.toml"
      - "pixi.lock"
      - "pyproject.toml"
      - "exporter/**/*.py"
  schedule:
    - cron: "0 6 * * 1"   # Weekly Monday 06:00 UTC

concurrency:
  group: security-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  security-scan:
    name: pip-audit + bandit
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - uses: actions/checkout@v4

      - name: Cache pixi lint env
        uses: actions/cache@v4
        with:
          path: ~/.pixi
          key: pixi-lint-${{ runner.os }}-${{ hashFiles('pixi.lock') }}

      - name: Install pixi
        uses: prefix-dev/setup-pixi@v0.8.1
        with:
          environments: lint

      - name: pip-audit dependency scan
        run: pixi run -e lint pip-audit

      - name: Bandit security scan
        run: pixi run -e lint bandit -ll --ini .bandit

---

10. Skills Used

Invoked during planning:

• None (direct file reads were sufficient; no skill invocations required)

Team knowledge base skills referenced (from Prior Learnings):

• bandit-precommit-security-scanner — bandit -ll flag, pre-scan before CI wiring, separate security workflow pattern
• bandit-config-migration — .bandit INI structure, recursive = true requirement, --ini .bandit explicit flag, why pyproject.toml doesn't work with bandit 1.9.x
• extend-precommit-bandit-scope — pre-scan new directories before extending coverage
• ci-cd-pipeline-maintenance-patterns — separate lint job (not step), ruff/mypy CI patterns, 10-minute timeout
• ci-dependency-security-scanning — pip-audit in [feature.lint.pypi-dependencies], paths: filter for security workflow, weekly schedule
• quality-security-scan — bandit/pip-audit invocation reference patterns

---

Generated by Claude Code Planner