Skip to content

Sanitize API error details and add bandit CI#18

Open
vdavez wants to merge 3 commits intomainfrom
security/sanitize-errors-and-bandit-ci
Open

Sanitize API error details and add bandit CI#18
vdavez wants to merge 3 commits intomainfrom
security/sanitize-errors-and-bandit-ci

Conversation

@vdavez
Copy link
Copy Markdown
Contributor

@vdavez vdavez commented Apr 10, 2026
edited
Loading

Summary

  • Redact sensitive values in error messages (client.py): API error responses can echo back credentials (e.g. api_key=..., token=...). Exception messages now redact patterns matching API keys, tokens, secrets, passwords, bearer tokens, and credentials via regex. Long messages are also truncated to 200 chars. Raw response_data remains available for programmatic access. Also applies to httpx.HTTPError messages which can contain URLs with sensitive query params.
  • Add bandit security linter to CI: New security.yml workflow runs bandit on every push/PR to main/develop.
  • Restrict GITHUB_TOKEN permissions: All workflows (test.yml, lint.yml, security.yml, publish.yml) now have explicit permissions: contents: read blocks. publish.yml also gets id-token: write for PyPI trusted publishing.
  • Add justfile with 1Password CLI integration: Task runner wrapping common commands, with op run injecting secrets for integration tests. No more API keys on disk.
  • Update README: Development docs rewritten around just-based workflow and op-managed secrets.

Test plan

  • All 82 tests pass (4 new tests for redaction behavior)
  • Bandit runs clean on tango/ (0 issues)
  • just --list and just test work locally
  • Verify CI checks pass with new permissions blocks

🤖 Generated with Claude Code

@vdavez @claude
Sanitize API error details in exceptions and add bandit to CI
98b8a56 
Prevents information disclosure by truncating long API error messages
in exception strings. Raw response data remains available via
response_data for programmatic access. Adds bandit security linter
as a dev dependency with a new CI workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 10, 2026
View reviewed changes
@vdavez @claude
Redact sensitive values (API keys, tokens) in sanitized error details
4741c2f 
The initial sanitization only truncated long messages. This adds regex-based
redaction of credential patterns (api_key=, token=, secret=, password=,
authorization:, bearer, credential) so they never appear in exception
messages or logs. Also sanitizes httpx.HTTPError messages which can
contain URLs with key query params. Raw response_data is preserved
for programmatic access. Adds 4 tests covering redaction behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vdavez vdavez force-pushed the security/sanitize-errors-and-bandit-ci branch from 007adfd to 4741c2f Compare April 10, 2026 15:15
@vdavez @claude
Add justfile with op integration, restrict workflow permissions
da04dfe 
Adds a justfile wrapping common tasks, with 1Password CLI injecting
secrets for integration tests. Adds explicit permissions blocks to all
GitHub Actions workflows to restrict GITHUB_TOKEN scope. Updates README
development docs to reflect just-based workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vdavez @github-advanced-security