deps: bump actions/setup-python from 5 to 6#3
Open
dependabot[bot] wants to merge 23 commits into
Open
Conversation
Ten cross-cutting topics plus per-language sub-handbooks for Java (JDK 17+), Python (3.11+), Go (1.21+), and JavaScript/TypeScript (Node 20+). Same shape per file: threat, insecure example, why it fails, secure example, notes, references.
Methodology comparison (STRIDE / PASTA / attack trees / LINDDUN), when-to-use-what matrix, four templates (STRIDE-per-element, PASTA seven-stage prompts, attack-tree notation, DFD conventions), and four sanitized worked examples: REST API with OAuth2, mobile E2E messaging client, SSO/OIDC broker, CI/CD pipeline.
Security requirements template with ~20 example SR-* entries across authn / authz / session / crypto / input / output / logging / secrets / deps / tls / errors; code review checklist by category; stage-by-stage Definition of Done; gate matrix mapping each pipeline stage to mandatory checks and blocking severity; a CERT/CC- and ISO 29147-aligned VDP template; security champions program; third-party software intake tiered by data sensitivity.
Eight GitHub Actions workflows (Semgrep SAST, Trivy SCA, Gitleaks, Checkov IaC, Trivy image, Syft SBOM, cosign sign + attest, ZAP baseline) and three GitLab CI fragments. Each starts with a comment header documenting purpose, required permissions, and required secrets. Action versions pinned against the marketplace.
hardcoded-jwt-secret (multilang), python-unsafe-yaml-load, python-eval-exec, go-sql-string-concat, js-disabled-tls-verification. Each rule declares CWE / OWASP mapping in metadata; matching .test.yaml documents positive and negative cases.
Pod Security Admission profiles and rollout, default-deny NetworkPolicy with a DNS-egress allow companion, three OPA Gatekeeper ConstraintTemplate / Constraint pairs, and five Falco starter rules tied to MITRE ATT&CK techniques.
SBOM generation (CycloneDX / SPDX via Syft and language-native generators; storage and continuous CVE matching; VEX). Dependency pinning per ecosystem with Renovate config example. SLSA v1.0 Build track levels 1-3 with concrete GitHub Actions / Sigstore / SLSA generator examples and a Kyverno admission policy.
ASVS 5.0 verification checklist, SAMM v2 self-assessment grid, OWASP Top 10 (2025), API Top 10 (2023), LLM Top 10 (2025), CI/CD Top 10, NIST SSDF v1.1 task-by-task mapping, CWE Top 25 (2025) with primary + secondary defence, and a cross-framework mapping matrix.
Zero trust (NIST SP 800-207), API gateway responsibilities, OAuth2 / OIDC flows with sequence diagrams (Authorization Code + PKCE, Client Credentials, Device Code), SAML SP-init and IdP-init with signature-wrapping defences, mTLS + SPIFFE/SPIRE, crypto cheatsheet with recommended parameters per scenario, secrets management tiered by blast radius, multi-tenancy isolation spectrum. Deprecated implicit and ROPC flows mentioned only as warnings.
Per-category evaluation criteria for SAST / SCA / DAST / MAST / ASPM, a catalogue of public deliberately-vulnerable benchmark projects, and a proof-of-concept report template.
Shared template plus four sanitized class-of-bug writeups: JWT key confusion (RS256 -> HS256) with CVE-2015-9235 and CVE-2016-10555; SSRF against cloud metadata (IMDSv1) with AWS / GCP / Azure mitigations; prototype pollution via merge with CVE-2018-3721 / CVE-2019-10744 / CVE-2020-8203; polymorphic deserialization in Jackson with CVE-2017-7525. CVSS scores and vectors verified against NVD at write time.
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Markdownlint on all .md via the cli2 action. Yamllint on devsecops/ and .github/ with a relaxed config for educational snippets. Actionlint checks both the handbook's own workflows and the templates under devsecops/ci-templates/ (advisory). Semgrep validates and tests the custom rules. Dependabot tracks github-actions and pip. Lychee link checker runs offline on PRs (blocking) and weekly with network access (files an issue on rot).
mkdocs.yml configured for docs_dir = repo root via the same-dir plugin, plus awesome-pages for nav and section-index so README.md files act as section indexes. Theme: material, slate+default with amber accent. Standard pymdownx extensions for admonitions, tabbed blocks, and mermaid fences. Pages workflow builds with mkdocs and deploys via deploy-pages. Strict mode is off until the existing [secure-coding/](secure-coding/) style links resolve cleanly under section-index. Pages source must be switched to "GitHub Actions" in repository settings for the first deploy to take effect.
SECURITY.md states scope (the materials themselves -- docs, Semgrep rules, CI templates, K8s policies -- not a runtime), disclosure email, and a 7/30-day ack/triage SLA. CODEOWNERS routes review to @maverick-hackz, with explicit entries for security-sensitive paths. PR template asks the four CONTRIBUTING.md questions. Issue templates: defect, content request, and link-rot (auto-filed by the weekly link checker).
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-python-6
branch
from
d262262 to
5986274
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-python from 5 to 6.
Release notes
Sourced from actions/setup-python's releases.
... (truncated)
Commits
a309ff8Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)bfe8cc5Upgrade@actionsdependencies to Node 24 compatible versions (#1259)4f41a90Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)83679a8Bump@types/nodefrom 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...bfc4944Bump prettier from 3.5.3 to 3.6.2 (#1234)97aeb3eBump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)443da59Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...cfd55cagraalpy: add graalpy early-access and windows builds (#880)bba65e5Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)18566f8Improve wording and "fix example" (remove 3.13) on testing against pre-releas...