Hugging Face's logo

Spaces:
visualisable-ai
/
api
Sleeping

App Files Community
api / SECURITY.md
gary-boon
Add GitHub Actions workflow for security scanning and automated deployment
0e48dc7
preview code
|
raw
history blame contribute delete
4.45 kB

Security Configuration for Visualisable AI Backend

This document explains the security scanning setup for the Python backend that powers the HuggingFace Spaces API.

Overview

The backend repository now includes automated security scanning via GitHub Actions that runs before deployment to HuggingFace Spaces. This ensures that security vulnerabilities are identified and can be addressed before code reaches production.

Security Tools Used

  1. Snyk - Comprehensive vulnerability scanning for Python dependencies
  2. Bandit - Python-specific security linter for common security issues
  3. Safety - Checks Python dependencies against known security vulnerabilities database

Setup Instructions

1. GitHub Repository Setup

Since this repository currently only has HuggingFace as a remote, you'll need to:

  1. Create a GitHub repository for the backend:

    # Add GitHub as a remote
git remote add github https://github.com/YOUR_USERNAME/visualisable-ai-backend.git

# Push to GitHub
git push github main

  2. Enable GitHub Actions in the repository settings

2. Required Secrets

Add the following secrets to your GitHub repository (Settings → Secrets and variables → Actions):

SNYK_TOKEN

  1. Sign up for free at https://snyk.io
  2. Go to Account Settings → Auth Token
  3. Copy your personal auth token
  4. Add as SNYK_TOKEN in GitHub secrets

HF_TOKEN (for automated deployment)

  1. Go to https://huggingface.co/settings/tokens
  2. Create a new token with write access
  3. Add as HF_TOKEN in GitHub secrets

Workflow Features

The security-and-deploy.yml workflow:

  1. Runs on every push and PR to the main branch

  2. Security scanning includes:

    • Dependency vulnerability scanning with Snyk
    • Code security analysis with Bandit
    • Known vulnerability checking with Safety
    • Results uploaded to GitHub Security tab
    • Project monitoring in Snyk dashboard

  3. Automated deployment (only on main branch):

    • After security checks pass
    • Pushes directly to HuggingFace Spaces
    • Maintains deployment history in GitHub

Current Security Status

Known Issues

transformers==4.35.0 has known vulnerabilities:

  • Multiple security issues have been fixed in newer versions
  • Recommended upgrade: transformers>=4.36.0

To Fix Vulnerabilities

  1. Update requirements.txt:

    transformers==4.36.2  # or latest stable version

  2. Test locally:

    pip install -r requirements.txt
python -m pytest  # if you have tests
python app.py  # test the application

  3. Commit and push:

    git add requirements.txt
git commit -m "Security: Update transformers to fix vulnerabilities"
git push github main  # triggers security scan and deployment

Local Security Testing

Run security checks locally before pushing:

# Install tools
pip install snyk bandit safety

# Run Snyk (requires authentication)
snyk auth
snyk test

# Run Bandit
bandit -r backend/

# Run Safety
safety check

Monitoring

  • GitHub Security Tab: View SARIF reports and security alerts
  • Snyk Dashboard: https://app.snyk.io - Monitor all vulnerabilities
  • GitHub Actions: Check workflow runs for security scan results

Security Best Practices

  1. Regular Updates: Keep dependencies updated to latest secure versions
  2. Monitor Alerts: Check Snyk dashboard weekly for new vulnerabilities
  3. Test Before Deploy: Always test locally after updating dependencies
  4. Review PR Scans: Security scans run on PRs - review before merging

Troubleshooting

Workflow not running

  • Ensure GitHub Actions is enabled in repository settings
  • Check that secrets are properly configured
  • Verify the workflow file is in .github/workflows/

Deployment failing

  • Check HF_TOKEN has write permissions
  • Ensure HuggingFace Space name matches in workflow
  • Manual deployment fallback: git push origin main

Security scan failures

  • Non-blocking by default (continue-on-error: true)
  • Review logs for specific vulnerabilities
  • Update dependencies to fix issues
  • Can be made blocking by removing continue-on-error

Next Steps

  1. Push this repository to GitHub
  2. Configure the required secrets
  3. Run the workflow to establish baseline security status
  4. Address the transformers vulnerability
  5. Consider making security checks blocking after initial setup