From 0e34088440cfc6f21999c7a93f408e906fb9fd81 Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sat, 11 Jul 2026 08:06:56 -0400 Subject: [PATCH 1/5] ci: test native bitbucket pipeline execution --- bitbucket-pipelines.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 bitbucket-pipelines.yml diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml new file mode 100644 index 00000000..81e4fd70 --- /dev/null +++ b/bitbucket-pipelines.yml @@ -0,0 +1,24 @@ +# GitGalaxy Enterprise Security Scanner +# Integration: Bitbucket Pipelines + +image: python:3.12-slim + +pipelines: + default: + - step: + name: 'GitGalaxy Zero-Trust Spectral Audit' + caches: + - pip + script: + # 1. Initialize Python Environment & Install GitGalaxy CLI Engine + - pip install --upgrade pip + - pip install gitgalaxy>=2.4.0 + + # 2. Execute Zero-Trust Spectral Audit with Enterprise Gates + # Enforces strict quality gating via the CLI vault. + # Defaults to a Max Risk of 80 if the variable is not set in the UI. + - galaxyscope . --max-risk-exposure ${GITGALAXY_MAX_RISK:-80} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json + + artifacts: + # 3. Publish SARIF telemetry for Bitbucket Code Insights + - gitgalaxy-results_sarif.json From fb44b5e137b85ce4dd3f66bccc5670ba669603c5 Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sat, 11 Jul 2026 08:14:39 -0400 Subject: [PATCH 2/5] ci: finalize bitbucket sandbox pipeline and templates --- templates/bitbucket/bitbucket-pipelines.yml | 24 +++++++++++++ templates/github/gitgalaxy-pipeline.yml | 37 +++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 templates/bitbucket/bitbucket-pipelines.yml create mode 100644 templates/github/gitgalaxy-pipeline.yml diff --git a/templates/bitbucket/bitbucket-pipelines.yml b/templates/bitbucket/bitbucket-pipelines.yml new file mode 100644 index 00000000..81e4fd70 --- /dev/null +++ b/templates/bitbucket/bitbucket-pipelines.yml @@ -0,0 +1,24 @@ +# GitGalaxy Enterprise Security Scanner +# Integration: Bitbucket Pipelines + +image: python:3.12-slim + +pipelines: + default: + - step: + name: 'GitGalaxy Zero-Trust Spectral Audit' + caches: + - pip + script: + # 1. Initialize Python Environment & Install GitGalaxy CLI Engine + - pip install --upgrade pip + - pip install gitgalaxy>=2.4.0 + + # 2. Execute Zero-Trust Spectral Audit with Enterprise Gates + # Enforces strict quality gating via the CLI vault. + # Defaults to a Max Risk of 80 if the variable is not set in the UI. + - galaxyscope . --max-risk-exposure ${GITGALAXY_MAX_RISK:-80} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json + + artifacts: + # 3. Publish SARIF telemetry for Bitbucket Code Insights + - gitgalaxy-results_sarif.json diff --git a/templates/github/gitgalaxy-pipeline.yml b/templates/github/gitgalaxy-pipeline.yml new file mode 100644 index 00000000..b340c00d --- /dev/null +++ b/templates/github/gitgalaxy-pipeline.yml @@ -0,0 +1,37 @@ +name: GitGalaxy Zero-Trust Pipeline + +on: + push: + branches: + - main + +jobs: + vault-sentinel: + name: Vault Sentinel + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: squid-protocol/gitgalaxy@v2.4.0 + with: + tool: 'vault-sentinel' + target: '.' + + xray-inspector: + name: X-Ray Inspector + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: squid-protocol/gitgalaxy@v2.4.0 + with: + tool: 'xray-inspector' + target: '.' + + supply-chain-firewall: + name: Supply Chain Firewall + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: squid-protocol/gitgalaxy@v2.4.0 + with: + tool: 'supply-chain-firewall' + target: '.' From cb34c01382a99c61cc0ecd4dfade064396bddce1 Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sat, 11 Jul 2026 08:29:10 -0400 Subject: [PATCH 3/5] ci: add test ignore flag to bitbucket pipeline and save CD strategy --- bitbucket-pipelines.yml | 8 ++--- cd pipeline strategy.md | 33 +++++++++++++++++++++ templates/bitbucket/bitbucket-pipelines.yml | 8 ++--- 3 files changed, 41 insertions(+), 8 deletions(-) create mode 100644 cd pipeline strategy.md diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml index 81e4fd70..dbb5b776 100644 --- a/bitbucket-pipelines.yml +++ b/bitbucket-pipelines.yml @@ -11,13 +11,13 @@ pipelines: - pip script: # 1. Initialize Python Environment & Install GitGalaxy CLI Engine + # Added heavy physics engines for full precision (networkx, tiktoken, etc.) - pip install --upgrade pip - - pip install gitgalaxy>=2.4.0 + - pip install gitgalaxy>=2.4.0 networkx tiktoken xgboost pandas numpy # 2. Execute Zero-Trust Spectral Audit with Enterprise Gates - # Enforces strict quality gating via the CLI vault. - # Defaults to a Max Risk of 80 if the variable is not set in the UI. - - galaxyscope . --max-risk-exposure ${GITGALAXY_MAX_RISK:-80} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json + # Added --ignore tests/ to prevent mock data from tripping the secrets firewall + - galaxyscope . --ignore tests/ --max-risk-exposure ${GITGALAXY_MAX_RISK:-95} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json artifacts: # 3. Publish SARIF telemetry for Bitbucket Code Insights diff --git a/cd pipeline strategy.md b/cd pipeline strategy.md new file mode 100644 index 00000000..8fd1e224 --- /dev/null +++ b/cd pipeline strategy.md @@ -0,0 +1,33 @@ +# GitGalaxy: CI/CD Distribution & Architecture Context + +## 1. Architectural Overview (The Hub and Spoke Model) +GitGalaxy utilizes a centralized distribution architecture to maintain a single source of truth while achieving maximum cross-platform compatibility. + +* **The Hub (PyPI):** The compiled Python codebase (the blAST engine) is hosted exclusively on the Python Package Index. +* **The Spokes (GitHub, GitLab, Jenkins, etc.):** Enterprise CI/CD platforms do not host the engine natively. Instead, they use lightweight YAML wrappers to dynamically pull the engine via `pip install gitgalaxy` and execute it within their isolated runners. + +This allows us to instantly push updates to Azure DevOps, Bitbucket, GitLab, and GitHub Actions simultaneously just by tagging a new release. + +## 2. Core CI/CD Configurations & Files + +### GitHub Actions (The Orchestrator) +GitHub acts as the central command center for the project's source code and deployment triggers. +* **`.github/workflows/publish.yml`**: The release pipeline. Triggered strictly by Git tags (e.g., `v2.4.1`). It builds the Python wheel/sdist and authenticates with PyPI via OIDC to publish the package. +* **`.github/workflows/gitlab-sync.yml`**: The mirror pipeline. Fires alongside the PyPI publish workflow. It securely pushes the latest code and tags directly to the `squid-protocol1/gitgalaxy` repository on GitLab, keeping both platforms in perfect sync. +* **`action.yml`**: The native GitHub Action wrapper. Allows GitHub users to invoke GitGalaxy using standard `uses: squid-protocol/gitgalaxy@v2` syntax. + +### GitLab CI/CD Catalog (The Enterprise Gate) +* **`scan.yml`**: The native GitLab CI/CD Component definition. This file defines the `gitgalaxy_scan` job, pulling the `python:3.12-slim` image, installing the engine from PyPI, and executing the Zero-Trust Spectral Audit with enterprise failure ratchets (`--max-risk-exposure`, `--fail-on-secrets`). It automatically exposes the generated `gitgalaxy-results_sarif.json` to GitLab's security dashboards. + +### Project Build & Versioning +* **`pyproject.toml`**: The modern Python build configuration. It defines dependencies, CLI entry points (like `galaxyscope` and `supply-chain-firewall`), and uses `setuptools_scm` to dynamically generate the package version directly from Git tags (e.g., matching the `v2.4.1` regex). + +## 3. Recent Engine Hardening & Security Patches + +To support enterprise CI/CD environments, several critical stability and security patches were recently integrated: + +* **CLI Pipeline Gates (`galaxyscope.py`)**: Added native `argparse` flags (`--fail-on-secrets`, `--fail-on-malware`, `--max-risk-exposure`) to allow CI/CD runners to programmatically fail builds when strict security thresholds are breached. +* **Regex ReDoS Armor (`language_standards.py`)**: + * Mitigated Catastrophic Backtracking (ReDoS) vulnerabilities in the C/C++ parser when handling massive, malformed K&R payload blocks by enforcing strict lazy consumers (`[^;{]*?;`). + * Patched the `_dependency_capture` regex for Python and JavaScript to strip line anchors, allowing the Supply Chain Firewall to accurately detect inline, dynamic, and comma-separated dependency imports (e.g., `import os, requests`). +* **Dependency Auditing (`requirements.txt`)**: Bumped `mistune>=3.2.2` to resolve a high-severity CPU exhaustion vulnerability (CVE-2026-49851) flagged by the Muninn Security Scanner in our documentation build chain. diff --git a/templates/bitbucket/bitbucket-pipelines.yml b/templates/bitbucket/bitbucket-pipelines.yml index 81e4fd70..dbb5b776 100644 --- a/templates/bitbucket/bitbucket-pipelines.yml +++ b/templates/bitbucket/bitbucket-pipelines.yml @@ -11,13 +11,13 @@ pipelines: - pip script: # 1. Initialize Python Environment & Install GitGalaxy CLI Engine + # Added heavy physics engines for full precision (networkx, tiktoken, etc.) - pip install --upgrade pip - - pip install gitgalaxy>=2.4.0 + - pip install gitgalaxy>=2.4.0 networkx tiktoken xgboost pandas numpy # 2. Execute Zero-Trust Spectral Audit with Enterprise Gates - # Enforces strict quality gating via the CLI vault. - # Defaults to a Max Risk of 80 if the variable is not set in the UI. - - galaxyscope . --max-risk-exposure ${GITGALAXY_MAX_RISK:-80} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json + # Added --ignore tests/ to prevent mock data from tripping the secrets firewall + - galaxyscope . --ignore tests/ --max-risk-exposure ${GITGALAXY_MAX_RISK:-95} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json artifacts: # 3. Publish SARIF telemetry for Bitbucket Code Insights From dd12699fb304e37756fa1cdc8cc40e2b1da22538 Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sat, 11 Jul 2026 08:32:18 -0400 Subject: [PATCH 4/5] ci: fix pipeline target path to bypass mock test data --- bitbucket-pipelines.yml | 4 ++-- templates/bitbucket/bitbucket-pipelines.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml index dbb5b776..4fd99c21 100644 --- a/bitbucket-pipelines.yml +++ b/bitbucket-pipelines.yml @@ -17,8 +17,8 @@ pipelines: # 2. Execute Zero-Trust Spectral Audit with Enterprise Gates # Added --ignore tests/ to prevent mock data from tripping the secrets firewall - - galaxyscope . --ignore tests/ --max-risk-exposure ${GITGALAXY_MAX_RISK:-95} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json - + - galaxyscope gitgalaxy/ --max-risk-exposure ${GITGALAXY_MAX_RISK:-95} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json + artifacts: # 3. Publish SARIF telemetry for Bitbucket Code Insights - gitgalaxy-results_sarif.json diff --git a/templates/bitbucket/bitbucket-pipelines.yml b/templates/bitbucket/bitbucket-pipelines.yml index dbb5b776..4fd99c21 100644 --- a/templates/bitbucket/bitbucket-pipelines.yml +++ b/templates/bitbucket/bitbucket-pipelines.yml @@ -17,8 +17,8 @@ pipelines: # 2. Execute Zero-Trust Spectral Audit with Enterprise Gates # Added --ignore tests/ to prevent mock data from tripping the secrets firewall - - galaxyscope . --ignore tests/ --max-risk-exposure ${GITGALAXY_MAX_RISK:-95} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json - + - galaxyscope gitgalaxy/ --max-risk-exposure ${GITGALAXY_MAX_RISK:-95} --fail-on-secrets --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json + artifacts: # 3. Publish SARIF telemetry for Bitbucket Code Insights - gitgalaxy-results_sarif.json From cf46867399b4ea4f209c5c027d725e20fbc9cf3e Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sat, 11 Jul 2026 13:32:56 -0400 Subject: [PATCH 5/5] ci: split zero-trust pipeline into pre-gate and post-gate workflows --- .github/workflows/gitgalaxy-artifacts.yml | 53 ++++++++++++++++ .github/workflows/gitgalaxy-audit.yml | 5 ++ .github/workflows/gitgalaxy.yml | 73 +---------------------- 3 files changed, 60 insertions(+), 71 deletions(-) create mode 100644 .github/workflows/gitgalaxy-artifacts.yml create mode 100644 .github/workflows/gitgalaxy-audit.yml diff --git a/.github/workflows/gitgalaxy-artifacts.yml b/.github/workflows/gitgalaxy-artifacts.yml new file mode 100644 index 00000000..da134c2f --- /dev/null +++ b/.github/workflows/gitgalaxy-artifacts.yml @@ -0,0 +1,53 @@ +name: Generate GitGalaxy Artifacts (Post-Gate) + +on: + push: + branches: + - main + +permissions: + contents: write + security-events: write + +jobs: + generate-compliance-artifacts: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install GitGalaxy (Full Precision) + uses: squid-protocol/gitgalaxy@v2.4.0 # Or your composite action path + with: + tool: 'galaxyscope' + target: '.' + full_precision: 'true' + + - name: Generate SARIF, SBOM, and LLM Brief + run: | + # Execute galaxyscope to generate all required outputs + galaxyscope . --sarif-only --output gitgalaxy-results_sarif.json + galaxyscope . --sbom-only --output gitgalaxy-sbom.json + galaxyscope . --llm-only --output gitgalaxy_architecture_brief.md + + - name: Upload SARIF to GitHub Security Tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: gitgalaxy-results_sarif.json + + - name: Upload SBOM as Build Artifact + uses: actions/upload-artifact@v4 + with: + name: gitgalaxy-sbom + path: gitgalaxy-sbom.json + + - name: Commit LLM Brief to Docs + run: | + mkdir -p docs + mv gitgalaxy_architecture_brief.md docs/ || true + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git add docs/gitgalaxy_architecture_brief.md + git diff --quiet && git diff --staged --quiet || (git commit -m "docs: auto-update LLM architectural brief" && git push) \ No newline at end of file diff --git a/.github/workflows/gitgalaxy-audit.yml b/.github/workflows/gitgalaxy-audit.yml new file mode 100644 index 00000000..63bc9aa1 --- /dev/null +++ b/.github/workflows/gitgalaxy-audit.yml @@ -0,0 +1,5 @@ +on: + push: + branches: [ "feature/*" ] + pull_request: + branches: [ "main" ] \ No newline at end of file diff --git a/.github/workflows/gitgalaxy.yml b/.github/workflows/gitgalaxy.yml index ba981939..f43279b9 100644 --- a/.github/workflows/gitgalaxy.yml +++ b/.github/workflows/gitgalaxy.yml @@ -1,40 +1,4 @@ -name: GitGalaxy Zero-Trust Pipeline - -on: - pull_request: - branches: [main] - -permissions: - contents: read - -jobs: - vault-sentinel: - name: Vault Sentinel - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - - uses: ./ - with: - tool: vault-sentinel - target: . - - xray-inspector: - name: X-Ray Inspector - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - - uses: ./ - with: - tool: xray-inspector - target: . - - supply-chain-firewall: +supply-chain-firewall: name: Supply Chain Firewall runs-on: ubuntu-latest steps: @@ -46,37 +10,4 @@ jobs: with: tool: supply-chain-firewall target: . - version: local - - architectural-report: - name: LLM Structural Brief - needs: [vault-sentinel, xray-inspector, supply-chain-firewall] - runs-on: ubuntu-latest - if: github.event_name == 'push' - permissions: - contents: write - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - fetch-depth: 0 - # zizmor: ignore[artipacked] - - - name: Generate GalaxyScope LLM Brief - uses: ./ - with: - tool: galaxyscope - target: . - args: --llm-only - full_precision: 'true' - - - name: Commit and Push LLM Brief to Main - run: | - mkdir -p docs - mv *_galaxy_llm.md docs/gitgalaxy_architecture_brief.md || true - - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - - git add docs/gitgalaxy_architecture_brief.md - - git diff --quiet && git diff --staged --quiet || (git commit -m "docs: auto-update LLM architectural brief" && git push) \ No newline at end of file + version: local \ No newline at end of file