Skip to content

chore: miscellaneous cleanup and security hardening #2363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jychp merged 1 commit into from
Feb 6, 2026
Merged

chore: miscellaneous cleanup and security hardening #2363

jychp merged 1 commit into from
Feb 6, 2026

Conversation

@jychp
Copy link
Collaborator

@jychp jychp commented Feb 6, 2026
edited
Loading

Type of change

  • Other (please describe): Cleanup & security hardening

Summary

Collection of small maintenance tasks:

  • cubic.yaml: Remove 6th custom rule ("CIS rule IDs include provider prefix") to stay within the 5-rule limit.
  • GCP TODO removal: Remove stale # TODO scope the cleanup to the current project comment in sync_gcp_subnets — already tracked by GCP cleanup jobs should be scoped to the current project #381.
  • GCP test rename: Rename test_cleanup_not_scoped_to_projecttest_vpc_cleanup_scoped_to_project to match actual test behavior (cleanup IS scoped, test verifies other projects' VPCs are preserved).
  • CIS 5.1/5.2 attack path: Add EC2Instance to the MATCH path in cis_aws_5_1_unrestricted_ssh and cis_aws_5_2_unrestricted_rdp so findings traverse EC2Instance→EC2SecurityGroup→IpPermissionInbound→IpRange.
  • GitHub Actions hardening (zizmor): Fix 3 high-severity template-injection findings and 7 medium artipacked findings across publish, sphinx, and test_suite workflows.

Related issues or links

Breaking changes

None.

How was this tested?

No functional changes

Checklist

General

  • I have read the contributing guidelines.
  • The linter passes locally (make lint).
  • I have added/updated tests that prove my fix is effective or my feature works.

Proof of functionality

  • New or updated unit/integration tests.

Notes for reviewers

  • The only remaining zizmor finding is an informational use-trusted-publishing suggestion for PyPI — switching to trusted publishing requires PyPI project configuration and is out of scope for this PR.
  • The CIS rule changes only add EC2Instance to the MATCH path; output models, field names, and asset_id_field are unchanged.

@jychp @claude
chore: miscellaneous cleanup and security hardening
8402127 
- Remove 6th cubic.yaml custom rule to stay within 5-rule limit
- Remove stale TODO comment for GCP subnet cleanup (tracked in #381)
- Rename misleading test_cleanup_not_scoped_to_project to
  test_vpc_cleanup_scoped_to_project
- Add EC2Instance to CIS 5.1/5.2 SSH/RDP rule attack paths so
  findings traverse the instance→security-group→rule chain
- Harden GitHub Actions workflows (zizmor): fix template injection
  in publish and sphinx workflows, add persist-credentials: false
  to all checkout steps

Signed-off-by: jchapeau
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 6, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 7 files

@jychp jychp merged commit d8fad9e into master Feb 6, 2026
9 checks passed
@jychp jychp deleted the jeremy/cartography-chores branch February 6, 2026 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@kunaals kunaals kunaals approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: improve build configuration and package isolation

2 participants

@jychp @kunaals