Add n8n CVE-2026-21858 vulnerable examples for SCA and container scan…#5
Open
levine-cycode wants to merge 20 commits into
Open
Add n8n CVE-2026-21858 vulnerable examples for SCA and container scan…#5levine-cycode wants to merge 20 commits into
levine-cycode wants to merge 20 commits into
Conversation
…ning - Add vulnerable_packages/ directory for SCA testing - Add n8n-workflow example with vulnerable n8n v1.100.0 - Add Dockerfile.n8n-vulnerable with CVE-2026-21858 - Update README with new vulnerable_packages section
- gha-excessive-permissions: detects permissions: write-all and broad write scope grants at workflow and job level - gha-dangerous-pr-target-checkout: detects pull_request_target trigger combined with checkout of incoming PR code (pwn request pattern)
Scans vulnerable_apps/ for SAST findings on push, PR, and manual trigger. Blocks build on any finding (default CLI exit code 1).
Scans only the diff between PR base and head commits, not the full codebase. Falls back to HEAD~1 on manual trigger.
Full scan runs on push to main only. PRs use the delta scan workflow.
…centralized template Three new patterns complementing the existing CLI gate in azure-pipelines.yml: - scripts/cycode-gate.sh — queries the Cycode RIG Graph API for Open violations in a named repo; fails the build if any match. Filters by severity, category, and risk score via env vars. Emits ##vso[task.logissue] for Azure Pipelines. - scripts/cycode-json-to-junit.py + scripts/cycode-summary.py — converters that take `cycode -o json scan ...` output and produce JUnit XML (for PublishTestResults@2 → Tests tab) and a Markdown report (for ##vso[task.uploadsummary] → custom tab on build summary). - templates/cycode-scan.yml — centralized template consumed via `extends`. App pipelines pass parameters (scanPath, scanTypeFlags, severityThreshold, repoName, gateMode) and inherit the scan + publish + gate logic. Cross-repo usage documented in the header. Example pipelines: - azure-pipelines-api-gate.yml — API gate standalone - azure-pipelines-publish-results.yml — Tests tab + summary + artifact - azure-pipelines-template-consumer.yml — minimal consumer of the template
- RIG .result[] items wrap detections in a .resource object; updated the
jq filter to drill through it so severity/risk_score/policy/file_path
render correctly instead of all dashes.
- Use bare repo name ("vectorvictor") in defaults and docs — the
owner/repo form returns 0 results in RIG.
- Check .fast_query_has_more and surface "at least N (page cap hit)"
when results are paginated, so the gate message is truthful when the
tenant has more than page_size findings.
…terns Azure Pipelines advanced patterns: API gate, UI publishing, central template
Findings whose message text contained a double quote produced malformed XML attributes that Azure Pipelines' PublishTestResults@2 rejected with "'Secure' is an unexpected token. Expecting whitespace" and the Tests tab failed to populate. xml.sax.saxutils.escape() only handles &, <, >. quoteattr() additionally escapes " and returns the value wrapped in quotes — the canonical way to build XML attribute values. Verified end-to-end in the AppSecHQ/vectorvictor publish-results pipeline against a run with 69 findings; Tests tab now populates cleanly.
Two small improvements based on end-to-end testing in Azure DevOps: Variable group for credentials - All three top-level pipelines now reference an ADO Library variable group named 'cycode-credentials' via 'variables: - group: ...' instead of expecting CYCODE_CLIENT_ID / CYCODE_CLIENT_SECRET as bare secret pipeline variables. Single source of truth for credential rotation (ideally backed by Key Vault) and fewer pipelines to update when the service account changes. jq install hardening - The 'apt-get || true' form silently masked failures on agents without apt-get (macOS, RHEL, Windows, distroless). Now: detect apt-get, fall back to brew, and fail loudly with a clear 'Preinstall jq on the agent' message if neither is available.
Fix JUnit XML attribute escaping (use quoteattr)
Variable group for credentials; harden jq install
cycode-summary.py now produces three formats from one JSON input: - Markdown for the Azure Pipelines Build Summary tab (uploadsummary) - Self-contained HTML with severity badges, filterable table, and expandable description + remediation guidance - Excel-friendly CSV with all the same data for offline analysis Columns per customer ask: Issue Name, Description, Where (line), File, Metadata (severity/type/CWE/OWASP/language/category), Mitigation (full remediation_guidelines from the Cycode platform), and a Console URL per finding (links to the policy rule page; base URL overridable via CYCODE_CONSOLE_URL env var). Pipeline bundles raw JSON + HTML + CSV + Markdown into one 'cycode-report' artifact. Verified end-to-end in the azure-pipeline-demo-adv ADO environment.
Rich reporting: HTML + CSV artifacts with 7 customer columns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…ning