Add security scanning workflows #2
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| jobs: | ||
| osv: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
The OSV scanner action uploads its SARIF output via github/codeql-action/upload-sarif by default. Without declaring permissions: { security-events: write }, the job runs with a read-only token on pull requests and the upload step fails with “Resource not accessible by integration,” causing the workflow to fail and the report not to publish. Add the required permission scope to the job or workflow.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Summary
- Granted the OSV scan workflow explicit
contentsread andsecurity-eventswrite permissions so its SARIF upload succeeds on pull requests. .github/workflows/osv-scan.ymlL9-L27 - Updated the OWASP Dependency-Check workflow to create the temporary npm lockfile with
npm install --package-lock-only, which works without a pre-existing lockfile. .github/workflows/odc.ymlL15-L33
Testing
- Not run (not requested).
- add job-level if: to run only on release/workflow_dispatch - add Resolve release tag step (supports manual input + last release fallback) - harden MpCmdRun.exe resolution on windows-latest This prevents PR runs from failing when github.event.release.tag_name is undefined and makes manual runs usable.
- Add PR/push jobs for ClamAV (Linux) and Windows Defender (Windows) - Keep release/workflow_dispatch jobs for scanning published assets - No secret usage in PR/push jobs; uses repo/build outputs or repo archive - Upload PR scan payload/logs as artifacts
- Detect common stacks and attempt install+build for each - Package best available outputs (dist/build/target/release) for scanning - Keep release/manual job unchanged
- Enable corepack; prep yarn if yarn.lock present - Make Node/Rust/Go builds best-effort (won't fail the job) - Use tar.gz instead of zip to avoid zip dependency - Keep scanning entire dist-pr directory with --scan-archive=yes
- Detect bun.lockb and use oven-sh/setup-bun@v1 - Run `bun install` + `bun run build` before packaging - Keep Node/Rust/Go heuristics as fallback
… shell - Replace oven-sh/setup-bun with curl installer and PATH export - Drop pnpm/action-setup; use corepack to activate pnpm/yarn - Replace dtolnay/rust-toolchain with rustup bootstrap - Add defaults.run.shell: bash; small permissions tweaks - Keep Go using first‑party actions/setup-go@v5 - Include schedule in release job guard to avoid skipped runs
… zip contention) - owasp: use dependency-check/Dependency-Check_Action@1.1.0 and cache DC data - clamav: install freshclam db before clamscan; package build outputs for PRs; scan release assets - defender: handle zip handle contention; scan release assets and surface detections
…args --out); avoid zip handle contention by using unique filename and glob for scan/upload
…o bun; stage outputs; extract before clamscan for real file counts
…prettier script defined)
…up-bun for back-compat with existing workflows
…vert non-security change to script/format.ts
…s artifact and defender job scans extracted dir
…/.bun if cached version != requested; keep bun install step
… verify exact version. build-package now uses this action.
riatzukiza
force-pushed
the
codex/add-github-actions-for-security-audits
branch
from
b3a9a69 to
b9589eb
Compare
Summary
Testing
https://chatgpt.com/codex/tasks/task_e_68fe8f682c9083248db706b52b2a5b38