security: add repository hygiene workflow#37
Conversation
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security Review Summary
This PR adds a valuable security hygiene workflow to audit outbound calls and detect secrets. However, I've identified 2 critical security vulnerabilities that must be fixed before merge:
Critical Issues:
- Supply chain risk: The checkout action uses an unpinned version tag, creating a vector for supply chain attacks
- Security bypass: Excluding the workflow file from scanning creates a blind spot where secrets could be hidden
Both issues have actionable fixes provided. Once addressed, this workflow will provide strong security guardrails for the repository.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
| SECRET_PATTERN='BEGIN (RSA |OPENSSH |EC |DSA )?PRIVATE KEY|ghp_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{20,}|sk-[A-Za-z0-9]{20,}' | ||
| if grep -RInE "$SECRET_PATTERN" . \ | ||
| --exclude-dir=.git \ | ||
| --exclude=.github/workflows/security-hygiene.yml; then |
There was a problem hiding this comment.
🛑 Security Vulnerability: Excluding the workflow file from secret scanning creates a blind spot where secrets could be hidden. An attacker with write access could commit secrets within this excluded file, bypassing the security check entirely.
| --exclude=.github/workflows/security-hygiene.yml; then | |
| --exclude-dir=.git; then |
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🛑 Security Vulnerability: Using an unpinned action reference (@v4) in a security workflow creates a supply chain attack risk. An attacker who compromises the actions/checkout repository could inject malicious code that executes in your workflow.
| uses: actions/checkout@v4 | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
There was a problem hiding this comment.
Micro-Learning Topic: Download of Code Without Integrity Check (CWE 494)
Matched on "CWE-494"
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Try a challenge in Secure Code Warrior
Up to standards ✅🟢 Issues
|
1 participant
Adds a lightweight Security Hygiene workflow that audits outbound calls with Harden Runner and blocks obvious private keys or token patterns on push and pull requests.
This keeps existing CI intact and layers on a focused guardrail appropriate for an API repository.