Security new standarization#18
Conversation
… security code scanner
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR introduces repo-level security automation by adding Dependabot version updates for GitHub Actions and a reusable security code scanning workflow, and updates the existing CI workflow to newer action versions.
Changes:
- Add a GitHub Actions security code scanning workflow (reusable via
workflow_call). - Add a
dependabot.ymlconfiguration to keep GitHub Actions dependencies updated on a weekly cadence. - Update the
nft-resolver-testsworkflow to use neweractions/checkout/actions/cacheversions.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/security-code-scanner.yml |
Adds a reusable “Security Code Scanner” workflow based on MetaMask’s security scanning workflow. |
.github/workflows/nft-resolver-tests.yml |
Updates action dependencies used by the test workflow (but currently references non-existent major versions). |
.github/dependabot.yml |
Adds Dependabot configuration to automate GitHub Actions dependency updates and grouping. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adding Dependabot Version Updates and Security Code Scanner.
Note
Medium Risk
Introduces new CI automation (Dependabot + security scanning) that can create PR noise and fail builds/workflows if misconfigured, but it does not change application runtime behavior.
Overview
Adds
dependabot.ymlto enable weekly GitHub Actions dependency update PRs with grouping, labeling, assignee, and a 7-day cooldown.Updates the
nft-resolver-testsworkflow to use neweractions/checkout@v6andactions/cache@v5, and adds a newSecurity Code Scannerworkflow that runs the sharedMetaMask/action-security-code-scannerworkflow onpush/pull_request(and viaworkflow_call/manual dispatch) with SARIF write permissions and optional metrics/Slack secrets.Written by Cursor Bugbot for commit ac2f77c. This will update automatically on new commits. Configure here.