-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Josemalyson Oliveira edited this page Jun 27, 2026
·
1 revision
Security policies and gates in HES.
HES includes security scanning in the workflow to catch vulnerabilities early.
The SECURITY phase runs after GREEN (implementation) and before REVIEW.
| Tool | Purpose |
|---|---|
| Bandit | Python security scanner |
| Semgrep | Multi-language security scanner |
# Bandit
bandit -r src/ -f json
# Semgrep
semgrep --config=auto src/HES includes a security-policy.yml file that defines 3 security modes:
active_policy: default
policies:
bandit:
severity: [MEDIUM, HIGH]
confidence: [MEDIUM, HIGH]
action: block
semgrep:
severity: [WARNING, ERROR]
action: blockpolicies:
bandit:
severity: [LOW, MEDIUM, HIGH]
confidence: [LOW, MEDIUM, HIGH]
action: block
semgrep:
severity: [INFO, WARNING, ERROR]
action: blockpolicies:
bandit:
severity: [HIGH]
confidence: [HIGH]
action: warn
semgrep:
severity: [ERROR]
action: warnThe SECURITY phase gate requires:
- No critical/high findings from Bandit
- No error findings from Semgrep
- All findings reviewed and addressed
To bypass security gates (not recommended):
/hes skip --reason "false positive: ..."
The bypass is logged to events.log.
| Issue | Severity | Fix |
|---|---|---|
| hardcoded_password | HIGH | Use environment variables |
| sql_injection | HIGH | Use parameterized queries |
| command_injection | HIGH | Use subprocess with list |
| insecure_random | MEDIUM | Use secrets module |
| Issue | Severity | Fix |
|---|---|---|
| eval() usage | HIGH | Remove eval |
| exec() usage | HIGH | Remove exec |
| hardcoded_secret | HIGH | Use environment variables |
| path_traversal | HIGH | Validate paths |
HES recommends using gitleaks for secret scanning:
# Install
brew install gitleaks
# Run
gitleaks detect --source . --verbose- Never commit secrets — Use environment variables
- Use parameterized queries — Prevent SQL injection
- Validate input — Prevent injection attacks
- Use HTTPS — Encrypt communications
- Audit dependencies — Check for vulnerabilities
Last updated: June 2026