nanlabs
diff --git a/‎examples/green-house-migration/.bandit‎
Lines changed: 34 additions & 0 deletions b/‎examples/green-house-migration/.bandit‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎examples/green-house-migration/.editorconfig‎
Lines changed: 41 additions & 0 deletions b/‎examples/green-house-migration/.editorconfig‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎examples/green-house-migration/.gitignore‎
Lines changed: 206 additions & 0 deletions b/‎examples/green-house-migration/.gitignore‎
Lines changed: 206 additions & 0 deletions
diff --git a/‎examples/green-house-migration/.snyk‎
Lines changed: 84 additions & 0 deletions b/‎examples/green-house-migration/.snyk‎
Lines changed: 84 additions & 0 deletions
@@ -0,0 +1,34 @@
+# Bandit configuration file
+# See: https://bandit.readthedocs.io/en/latest/config.html
+
+exclude_dirs: ["tests", "legacy", "scripts/development"]
+
+skips: ["B101", "B601", "B102", "B103"]
+
+# Test files and directories
+tests: ["test_*.py", "*_test.py"]
+
+# Target Python versions
+target_version: ["py38", "py39", "py310", "py311", "py312"]
+
+# Output format
+output_format: json
+output_file: bandit-report.json
+
+# Verbose output
+verbose: true
+
+# Debug mode
+debug: false
+
+# Profile to use
+profile: default
+
+# Aggressive mode
+aggressive: false
+
+# Recursive directory scanning
+recursive: true
+
+# Number of processes to use
+jobs: 1
@@ -0,0 +1,41 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8im_trailing_whitespace = true
+
+# Python files
+[*.py]
+indent_style = space
+indent_size =4
+
+# YAML files
+[*.[object Object]yml,yaml}]
+indent_style = space
+indent_size =2
+
+# JSON files
+[*.json]
+indent_style = space
+indent_size = 2
+
+# Markdown files
+[*.md]
+trim_trailing_whitespace = false
+
+# JavaScript files
+[*.{js,jsx,ts,tsx}]
+indent_style = space
+indent_size =2
+
+# HTML files
+[*.html]
+indent_style = space
+indent_size = 2# CSS files
+[*.css]
+indent_style = space
+indent_size = 2
@@ -0,0 +1,206 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# Project specific
+data/
+exports/
+imports/
+backups/
+logs/
+*.log
+*.sqlite
+*.db
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Security
+*.key
+*.pem
+*.p12
+*.pfx
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+*.temp
+
+# Test files
+test_*.py
+*_test.py
+
+# Documentation builds
+docs/build/
+docs/_build/
+
+# Coverage reports
+.coverage
+coverage.xml
+htmlcov/
+
+# Linting
+.flake8
+.pylintrc
+
+# Pre-commit
+.pre-commit-config.yaml
+
+# Security reports
+bandit*.json
+security-reports/
+*.security.json
+
+# Docker
+.dockerignore
+docker-compose.override.yml
+
+# Kubernetes
+*.yaml
+*.yml
+!docker-compose.yml
+!docker-compose.yaml
+
+# Terraform
+*.tfstate
+*.tfstate.*
+.terraform/
+
+# Local development
+.local/
+local/
@@ -0,0 +1,84 @@
+# Snyk configuration file
+# This file configures Snyk security scanning for the Greenhouse to TeamTailor migration project
+
+version: v1.25.0
+ignore:
+  # Ignore specific vulnerabilities that are false positives or acceptable risks
+  # Format: <vulnerability_id>:
+  #   - <path_to_vulnerable_file>:
+  #       reason: <reason_for_ignoring>
+  #       expires: <expiration_date>
+
+  # Example: Ignore a specific vulnerability in test files
+  # 'SNYK-PYTHON-REQUESTS-1061915':
+  #   - 'tests/fixtures/*':
+  #       reason: 'Test data only, not used in production'
+  #       expires: 2024-12-31T00:00:00.000Z
+
+# Policy for different severity levels
+policy:
+  # High severity vulnerabilities should be fixed immediately
+  high:
+    action: fail
+    message: "High severity vulnerabilities found. Please fix before deployment."
+
+  # Medium severity vulnerabilities should be reviewed
+  medium:
+    action: warn
+    message: "Medium severity vulnerabilities found. Review and fix when possible."
+
+  # Low severity vulnerabilities are informational
+  low:
+    action: info
+    message: "Low severity vulnerabilities found. Consider fixing in future updates."
+
+# Custom rules for the project
+rules:
+  # Allow specific patterns in test files
+  - name: "Allow test data patterns"
+    pattern: "tests/**/*"
+    severity: low
+    message: "Test files may contain intentionally vulnerable patterns for testing purposes"
+
+  # Allow specific patterns in mock data
+  - name: "Allow mock data patterns"
+    pattern: "scripts/development/generate_mock_data.py"
+    severity: low
+    message: "Mock data generation may contain test patterns"
+
+# Exclude specific directories from scanning
+exclude:
+  - "data/" # Exclude data directory as it contains exported data
+  - "logs/" # Exclude logs directory
+  - "node_modules/" # Exclude node_modules if any
+  - ".venv/" # Exclude virtual environment
+  - "__pycache__/" # Exclude Python cache
+  - "*.pyc" # Exclude compiled Python files
+
+# Custom security policies for TeamTailor integration
+teamtailor:
+  # Ensure API tokens are not hardcoded
+  - rule: "no-hardcoded-tokens"
+    pattern: '.*token.*=.*[''"][^''"]*[''"]'
+    severity: high
+    message: "API tokens should not be hardcoded in source code"
+
+  # Ensure proper rate limiting
+  - rule: "rate-limiting-check"
+    pattern: "time.sleep\\([0-9]*\\.?[0-9]*\\)"
+    severity: medium
+    message: "Ensure proper rate limiting is implemented for API calls"
+
+# Docker security policies
+docker:
+  # Ensure base images are from trusted sources
+  - rule: "trusted-base-image"
+    pattern: "FROM (alpine|python|node):[0-9]+\\.[0-9]+"
+    severity: medium
+    message: "Use specific version tags for base images"
+
+  # Ensure no secrets in Dockerfile
+  - rule: "no-secrets-in-dockerfile"
+    pattern: '(ENV|ARG).*TOKEN.*=.*[''"][^''"]*[''"]'
+    severity: high
+    message: "Do not hardcode secrets in Dockerfile"