Skip to content

Security

Josemalyson Oliveira edited this page Jun 27, 2026 · 1 revision

Security

Security policies and gates in HES.


Overview

HES includes security scanning in the workflow to catch vulnerabilities early.


Security Phase

The SECURITY phase runs after GREEN (implementation) and before REVIEW.

Tools

Tool Purpose
Bandit Python security scanner
Semgrep Multi-language security scanner

Commands

# Bandit
bandit -r src/ -f json

# Semgrep
semgrep --config=auto src/

Security Policy

HES includes a security-policy.yml file that defines 3 security modes:

Default Mode

active_policy: default

policies:
  bandit:
    severity: [MEDIUM, HIGH]
    confidence: [MEDIUM, HIGH]
    action: block
  semgrep:
    severity: [WARNING, ERROR]
    action: block

Enterprise Mode

policies:
  bandit:
    severity: [LOW, MEDIUM, HIGH]
    confidence: [LOW, MEDIUM, HIGH]
    action: block
  semgrep:
    severity: [INFO, WARNING, ERROR]
    action: block

Relaxed Mode

policies:
  bandit:
    severity: [HIGH]
    confidence: [HIGH]
    action: warn
  semgrep:
    severity: [ERROR]
    action: warn

Security Gates

Gate Conditions

The SECURITY phase gate requires:

  1. No critical/high findings from Bandit
  2. No error findings from Semgrep
  3. All findings reviewed and addressed

Bypassing Gates

To bypass security gates (not recommended):

/hes skip --reason "false positive: ..."

The bypass is logged to events.log.


Common Security Issues

Bandit Findings

Issue Severity Fix
hardcoded_password HIGH Use environment variables
sql_injection HIGH Use parameterized queries
command_injection HIGH Use subprocess with list
insecure_random MEDIUM Use secrets module

Semgrep Findings

Issue Severity Fix
eval() usage HIGH Remove eval
exec() usage HIGH Remove exec
hardcoded_secret HIGH Use environment variables
path_traversal HIGH Validate paths

Secret Scanning

HES recommends using gitleaks for secret scanning:

# Install
brew install gitleaks

# Run
gitleaks detect --source . --verbose

Security Best Practices

  1. Never commit secrets — Use environment variables
  2. Use parameterized queries — Prevent SQL injection
  3. Validate input — Prevent injection attacks
  4. Use HTTPS — Encrypt communications
  5. Audit dependencies — Check for vulnerabilities

References

  • Phases — Phase workflow
  • Rules — Security rules (R21-R24)

Last updated: June 2026

Clone this wiki locally