ci: harden PR security — Semgrep, Gitleaks, CodeQL extended, dep review#10
Merged
Conversation
Add three security audit jobs to the CI workflow: - CodeQL SAST (JavaScript/TypeScript analysis) - Gitleaks (secret scanning on every commit) - npm-audit-action (dependency vulnerability checking) tests/test-security-triggers.ts intentionally contains flagged patterns to validate the scanners fire correctly. It will be removed after verification.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
…cy review Explicit attacker-focused security pipeline: - Semgrep with 20 custom rules targeting pi extension threats: exfiltration (fetch/XMLHttpRequest), secret logging, API base override, auth header manipulation, shell execution, dynamic requires, postinstall scripts, auth path traversal, eval/Function injection, env leaks - Gitleaks custom config (.gitleaks.toml) with project-specific patterns: Command Code API keys, pi auth.json credential structures, bearer tokens, OAuth callback URLs - Dependency review action — flags malicious licenses, new packages, known vulnerability severity in PR diffs - CodeQL upgraded to security-extended + security-and-quality query suites - can-i-ignore-scripts check — audits install-time execution risk - Dependency review fails on high-severity, blocks merge test-security-triggers.ts: full attacker simulation — server exfil, shell exec, dynamic require, code injection Remove test-security-triggers.ts after CI verification.
patlux
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…from eval-like rule
Dependency ReviewThe following issues were found:
License Issues.github/workflows/ci.yml
OpenSSF Scorecard
Scanned Files
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Complete security pipeline for external contributor PRs. Guards against the specific attack vectors a malicious contributor could exploit in a pi extension.
Pipeline summary
codeql-action@v3+security-extended,security-and-quality.semgrep/pi-extension-audit.yaml)gitleaks/gitleaks-action@v2+ custom config (.gitleaks.toml)actions/dependency-review-action@v4npm audit --audit-level=moderatecan-i-ignore-scriptsAttack vectors covered by Semgrep rules
pi-extension-data-exfiltration-fetchpi-extension-logging-secretsconsole.log(apiKey)— credentials leak via pi outputpi-extension-secret-in-error-messagepi-extension-api-base-overridepi-extension-auth-header-manipulationpi-extension-shell-executionexec/spawn/forkin src/ — arbitrary code on user machinepi-extension-untrusted-dynamic-requirerequire('unknown-package')— supply chain attackpi-extension-postinstall-scriptpostinstallscript in package.json — runs onnpm installpi-extension-auth-path-traversaljoin(homedir(), '../.ssh')— reading SSH keyspi-extension-unexpected-fetchfetch()in src/ (bypassing injectable fetchImpl)pi-extension-eval-likeeval(),new Function(), code injectionpi-extension-env-leakprocess.envvars outsideCOMMANDCODE_*namespacepi-extension-oauth-callback-hardcodeGitleaks custom patterns (
.gitleaks.toml)user_*) inline or in auth filesTest trigger file
tests/test-security-triggers.tssimulates a real attacker PR with:eval()injectionexec()shell executionrequire('unknown-malicious-package')console.log(apiKey)Remove this file after CI verification.
Actions needed after merge
Dependency graphin repo Settings → Security (free, required for dep review)