Security Related update

.github/workflows/cd.yaml

@@ -2,9 +2,15 @@ name: CD Pipeline
 run-name: CD 📦🚀
 
 on:
-  workflow_dispatch:
+  workflow_run:
+    workflows: ["CI Pipeline"]
+    types: [completed]
     branches:
       - "main"
+    paths:
+      - "src/**"
+      - "requirements.txt"
+      - "LICENSE"
 
 jobs:
   CD:
@@ -21,10 +27,6 @@ jobs:
         uses: jetpack-io/[email protected]
       - name: Install all dependencies 📦
         run: devbox run install
-      - name: 🧹 Linting & Formatting
-        run: devbox run lint && devbox run format
-      - name: 🧪 Running Tests
-        run: devbox run test
       - name: 📦 Package
         run: devbox run build
       - name: 🚀 Publish to PyPI

.github/workflows/ci.yaml

@@ -19,5 +19,10 @@ jobs:
       - name: 🧹 Linting & Formatting
         run: devbox run lint && devbox run format
       - name: 🧪 Running Tests
-        run: devbox run test
+        run: devbox run test-cov
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       - run: echo "🍏 This job's status is ${{ job.status }}."

SECURITY.md

@@ -0,0 +1,36 @@
+# Security Policy
+
+We take the security of our software seriously. If you believe you've found a security issue in this package, we
+encourage you to notify us. We welcome working with you to resolve the issue promptly.
+
+## Supported Versions
+
+We recommend you to use the latest version of the package. We release patches for security vulnerabilities for the
+following versions:
+
+| Version | Supported          |
+|---------|--------------------|
+| 0.1.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability within this package, please contact us by sending an email
+to [[email protected]](mailto:[email protected]). All security vulnerabilities will be promptly addressed.
+
+When reporting a security issue, please provide the following information:
+
+- Your name and affiliation (if any).
+- An e-mail address for further discussion.
+- Whether you would like to be credited for your discovery.
+- If you are not the original discoverer of the vulnerability, please provide contact details of the original
+  discoverer.
+- A description of the technical details of the vulnerabilities. It is very important to let us know how we can
+  reproduce the vulnerability.
+- The versions affected.
+- If possible, please provide a proof-of-concept.
+- Any configuration information that is important in reproducing the issue.
+- The CVSS score for the vulnerability.
+- Please do not disclose the vulnerability to the public until we have addressed it.
+
+**Please do not report specifics of security vulnerabilities through public GitHub issues, discussions, or pull
+requests.**

devbox.json

@@ -16,6 +16,9 @@
       "test": [
         "pytest src/"
       ],
+      "test-cov": [
+        "pytest src/ --cov=src/ --cov-report=xml"
+      ],
       "lint": [
         "flake8 src/"
       ],

docs/DEVELOPER.md

@@ -70,6 +70,10 @@ From outside devbox shell
 ```bash
 devbox run test
 ```
+With Coverage, the coverage report will be generated in the `coverage.xml` file.
+```bash
+devbox run test-cov
+```
 
 ## Linting & Formatting
 

setup.py

@@ -12,7 +12,7 @@
 
 long_description = long_description.replace(
     "](", "](https://anevis.github.io/yaml-to-markdown/"
-)
+).replace(".md)", ".html)")
 
 with open("requirements.txt", "r") as req_file:
     raw_requirements = req_file.readlines()

sonar-project.properties

@@ -0,0 +1,10 @@
+sonar.projectKey=anevis_yaml-to-markdown
+sonar.organization=anevis
+
+# This is the name and version displayed in the SonarCloud UI.
+sonar.projectName=yaml-to-markdown
+#sonar.projectVersion=1.0
+
+sonar.sources=src/
+sonar.coverage.exclusions=./.pytest_cache/**,**_test.py,**.xml,**.yaml,**.yml
+sonar.python.coverage.reportPaths=coverage.xml

src/yaml_to_markdown/convert_test.py

@@ -6,6 +6,7 @@
 from yaml_to_markdown.convert import convert
 
 _JSON_DATA = '{"key": "value"}'
+_OUTPUT_FILE_NAME = "output.md"
 
 
 def test_convert_with_no_file() -> None:
@@ -22,11 +23,11 @@ def test_convert_with_json_data(mock_open_file: Mock) -> None:
     mock_open_file.return_value.__enter__.return_value = StringIO(_JSON_DATA)
 
     # Execute
-    convert(output_file="output.md", json_file="test.json")
+    convert(output_file=_OUTPUT_FILE_NAME, json_file="test.json")
 
     # Assert
     mock_open_file.assert_any_call("test.json", "r", encoding="utf-8")
-    mock_open_file.assert_any_call("output.md", "w", encoding="utf-8")
+    mock_open_file.assert_any_call(_OUTPUT_FILE_NAME, "w", encoding="utf-8")
 
 
 @patch("io.open", new_callable=mock_open())
@@ -36,8 +37,8 @@ def test_convert_with_yaml_data(mock_open_file: Mock) -> None:
     mock_open_file.return_value.__enter__.return_value = StringIO(data)
 
     # Execute
-    convert(output_file="output.md", yaml_file="test.yaml")
+    convert(output_file=_OUTPUT_FILE_NAME, yaml_file="test.yaml")
 
     # Assert
     mock_open_file.assert_any_call("test.yaml", "r", encoding="utf-8")
-    mock_open_file.assert_any_call("output.md", "w", encoding="utf-8")
+    mock_open_file.assert_any_call(_OUTPUT_FILE_NAME, "w", encoding="utf-8")