Skip to content

Security scan: Claude AI analysis runs on zero source files #69

Description

@derrickmehaffy

Describe the bug

The community-hub security-scan n8n workflow runs its Claude AI analysis with zero package source code. The Fetch Package Code step returns no files, so the AI receives only package metadata. The stored ai_analysis result shows files_scanned: 0 / files_available: 0, and the model itself flags "Zero source files available for review despite npm package being published." As a result the AI security review is metadata-only and cannot assess the actual code (it returns a risk_level/recommendation based purely on registry metadata).

To reproduce

  1. Trigger a security scan on a package (e.g. @strapi-community/plugin-redis) via the moderation admin → Run security scan.
  2. Open the resulting security-review record (or the n8n execution for security-scan).
  3. Inspect the ai_analysis stage result.

Expected behavior

Fetch Package Code fetches the package source (npm tarball and/or the declared GitHub repo) and passes the relevant files to the model, so the AI performs a real code-level review (files_scanned > 0, scan_source set).

Actual behavior

Fetch Package Code yields no source → the AI receives 0 files → the analysis is shallow. Example stored ai_analysis payload:

{
  "files_scanned": 0,
  "files_available": 0,
  "scan_source": null,
  "parsed": {
    "risk_level": "medium",
    "recommendation": "request_changes",
    "red_flags": ["Zero source files available for review despite npm package being published"]
  }
}

Environment

  • n8n: staging community-hub workflow set, security-scan workflow (Fetch Package CodeClaude Haiku Security Analysis).
  • Surfaced during the staging bring-up of the moderation automation.

Additional context

The dependency-scan and AI-analysis stages otherwise run fine — only the source fetch feeding the AI is empty. Filed to track fixing the source fetch so the AI review is meaningful. (Separately, the dependency scan flags the @strapi/strapi peer dependency itself as vulnerable, which is likely noise for a plugin scan — worth a look while in this area.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    echoes: bugChanges intended at preserving our ability to evolve the software safely and effectively

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions