Skip to content

Chore/security ci pipeline#220

Open
OkeyAmy wants to merge 5 commits into
TestSprite:mainfrom
OkeyAmy:chore/security-ci-pipeline
Open

Chore/security ci pipeline#220
OkeyAmy wants to merge 5 commits into
TestSprite:mainfrom
OkeyAmy:chore/security-ci-pipeline

Conversation

@OkeyAmy

@OkeyAmy OkeyAmy commented Jul 9, 2026

Copy link
Copy Markdown

Adds a dedicated security CI workflow that runs on every PR and push to main, dev, stg.

Changes

  • .github/workflows/security.yml — new security pipeline (5 jobs, zero external API keys)
  • eslint.security.config.mjs — security-focused ESLint config using eslint-plugin-security
  • eslint.config.mjs — add sandbox/** to ignore list

Security jobs

Job Tool Blocks merge?
Dependency audit npm audit --omit=dev Yes — HIGH/CRITICAL in prod deps
Dependency review GitHub built-in Yes — new vulnerable deps in PR
CodeQL GitHub CodeQL (security-extended) Yes — CWE-22, CWE-918, CWE-73, CWE-116
ESLint security eslint-plugin-security Yes — non-literal fs paths, child_process, ReDoS
Secret scan gitleaks Yes — API keys/tokens in git history

Notes

  • No external API keys required. All jobs use GITHUB_TOKEN (automatic) or run fully offline.
  • Dev dependency vulns (vitest, esbuild) are reported informational-only — they do not block merge since they don't ship to users.
  • eslint.security.config.mjs runs separately from the main lint so security findings surface as their own CI check.

Contact: @okey_amy

Summary by CodeRabbit

  • New Features
    • Added a dedicated CI “Security” workflow for pull requests and key branches, including dependency audits, dependency vulnerability review, CodeQL scanning, security-focused linting, and secret detection.
  • Bug Fixes
    • Updated ignore settings to consistently exclude sandbox/ from routine linting and checks.
  • Chores
    • Added a separate security lint configuration and included the security ESLint plugin to enforce stronger security rules.

OkeyAmy and others added 3 commits June 28, 2026 23:15
… gitignore

Adds a 5-job GitHub Actions security pipeline (dependency audit, dependency
review, CodeQL, ESLint security rules, secret scanning via gitleaks). No
external API keys required — all jobs use GITHUB_TOKEN or npm public registry.

Adds eslint.security.config.mjs for targeted security linting of src/ using
eslint-plugin-security. Updates main eslint config and .gitignore to exclude
the local sandbox directory.
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1e69f1ed-28de-4215-b412-5ee3b99a6265

📥 Commits

Reviewing files that changed from the base of the PR and between a5b26d8 and dbbd7af.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json, !package-lock.json
📒 Files selected for processing (2)
  • .github/workflows/security.yml
  • package.json
💤 Files with no reviewable changes (1)
  • .github/workflows/security.yml
✅ Files skipped from review due to trivial changes (1)
  • package.json

Walkthrough

Adds a GitHub Actions security workflow for dependency auditing, dependency review, CodeQL, ESLint security checks, and secret scanning. Adds a dedicated security ESLint config, installs the security plugin, and excludes sandbox/ from ignore lists.

Changes

Security scanning setup

Layer / File(s) Summary
Security workflow definition
.github/workflows/security.yml
Defines the new security workflow, its triggers, and five jobs for dependency audit, dependency review, CodeQL analysis, ESLint security linting, and secret scanning.
Security ESLint config and ignore updates
eslint.security.config.mjs, eslint.config.mjs, .gitignore, package.json
Adds a CI-focused ESLint security flat config, installs eslint-plugin-security, and updates ignore rules so sandbox/ is skipped by ESLint and git.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding a security-focused CI pipeline.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.


Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security.yml:
- Line 22: The checkout steps in the workflow are leaving GitHub credentials
persisted by default, which is unnecessary here and can expose the token. Update
each actions/checkout usage in the workflow to explicitly disable credential
persistence by setting persist-credentials to false, including the checkout
step(s) referenced by the security.yml job definitions.
- Line 22: The workflow still uses mutable action tags, so update each
third-party action reference in security.yml to a full 40-character commit SHA
while keeping the existing version comment for readability. Apply this to all
affected action entries, including the ones in the
checkout/setup-node/dependency-review, CodeQL init/analyze, and gitleaks steps,
so the workflow pins exact revisions instead of floating tags.
- Around line 97-98: The workflow currently installs eslint-plugin-security ad
hoc in CI, which bypasses the lockfile and uses an unpinned package. Remove the
standalone install step from the security workflow and add
eslint-plugin-security as a pinned devDependency in package.json so npm ci
installs it through package-lock integrity checks; use the existing workflow job
and package manager setup to locate where the plugin is consumed.
- Around line 9-11: The workflow-level permissions are too broad because
security-events: write is granted to every job, even though only the codeql job
needs it to upload SARIF results. Move the security-events: write permission
from the top-level permissions block into a job-level permissions block on
codeql, and keep audit, lint-security, and secret-scan limited to the minimal
read access they actually need.

In `@eslint.security.config.mjs`:
- Around line 5-8: The security ESLint config currently imports
eslint-plugin-security directly, but the dependency is not declared and is being
installed ad hoc, so make the config reproducible by adding a pinned
eslint-plugin-security entry to package.json devDependencies and removing the
workflow’s no-save install step. Update the setup that loads
eslint.security.config.mjs so it relies on the declared dependency, and keep the
import in that config file unchanged aside from ensuring the package is
available through normal dependency installation.
- Around line 30-31: The comment for security/detect-non-literal-regexp does not
match its configured severity. Update the comment near the security rule entry
in eslint.security.config.mjs so it accurately reflects that the rule is set to
warn, not error, or change the rule severity if error is the intended behavior;
keep the comment and the rule value consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 04904fef-3139-4fd1-a8a0-8eb591625b90

📥 Commits

Reviewing files that changed from the base of the PR and between 3305dfa and eb2bd3e.

📒 Files selected for processing (4)
  • .github/workflows/security.yml
  • .gitignore
  • eslint.config.mjs
  • eslint.security.config.mjs

Comment thread .github/workflows/security.yml Outdated
Comment thread .github/workflows/security.yml Outdated
Comment thread .github/workflows/security.yml Outdated
Comment thread eslint.security.config.mjs
Comment thread eslint.security.config.mjs Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/security.yml (1)

108-121: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Set GITLEAKS_LICENSE for this organization-owned repo. gitleaks-action v2 expects a license for org accounts, so leaving it unset will break the scan here; use the license secret or switch to the standalone gitleaks CLI if you want to avoid the wrapper’s licensing.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yml around lines 108 - 121, The secret scan
workflow is using gitleaks-action without the required GITLEAKS_LICENSE for an
organization-owned repo, which will cause the scan to fail. Update the
secret-scan job in the security workflow to provide the license from a GitHub
secret, or replace the gitleaks/gitleaks-action step with the standalone
gitleaks CLI if you want to avoid the wrapper licensing requirement.
♻️ Duplicate comments (2)
.github/workflows/security.yml (2)

21-21: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Set persist-credentials: false on all checkout steps.

Still not set anywhere in the file, as previously flagged by static analysis. None of these jobs push back to the repo, so persisted credentials are unnecessary risk exposure.

🔒️ Proposed fix (apply to each checkout step)
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false

Also applies to: 44-44, 63-63, 90-90, 112-114

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yml at line 21, The workflow’s checkout steps are
still using the default persisted Git credentials, which should be disabled
across all jobs. Update each actions/checkout usage in the security workflow to
set persist-credentials to false, including the checkout steps associated with
the referenced jobs, so the repository is not left with unnecessary
write-capable credentials.

Source: Linters/SAST tools


99-100: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Ad-hoc install of eslint-plugin-security still bypasses the lockfile.

npm install --no-save eslint-plugin-security remains unpinned and outside package-lock.json, a supply-chain risk previously flagged. Add it as a pinned devDependency instead so npm ci installs it with lockfile integrity checks.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yml around lines 99 - 100, The workflow still
installs eslint-plugin-security ad hoc, bypassing lockfile integrity. Move the
dependency into the project’s pinned devDependencies and regenerate the lockfile
so npm ci installs it via package-lock.json instead of using the Install
security plugin step in the workflow. Use the existing workflow and package
manifest entries to locate where the plugin installation is defined and replace
the unpinned npm install --no-save usage with a lockfile-backed dependency.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/security.yml:
- Around line 108-121: The secret scan workflow is using gitleaks-action without
the required GITLEAKS_LICENSE for an organization-owned repo, which will cause
the scan to fail. Update the secret-scan job in the security workflow to provide
the license from a GitHub secret, or replace the gitleaks/gitleaks-action step
with the standalone gitleaks CLI if you want to avoid the wrapper licensing
requirement.

---

Duplicate comments:
In @.github/workflows/security.yml:
- Line 21: The workflow’s checkout steps are still using the default persisted
Git credentials, which should be disabled across all jobs. Update each
actions/checkout usage in the security workflow to set persist-credentials to
false, including the checkout steps associated with the referenced jobs, so the
repository is not left with unnecessary write-capable credentials.
- Around line 99-100: The workflow still installs eslint-plugin-security ad hoc,
bypassing lockfile integrity. Move the dependency into the project’s pinned
devDependencies and regenerate the lockfile so npm ci installs it via
package-lock.json instead of using the Install security plugin step in the
workflow. Use the existing workflow and package manifest entries to locate where
the plugin installation is defined and replace the unpinned npm install
--no-save usage with a lockfile-backed dependency.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 06fc778d-1743-4cfb-bcba-bf1b5f760785

📥 Commits

Reviewing files that changed from the base of the PR and between eb2bd3e and a5b26d8.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • .github/workflows/security.yml
  • eslint.security.config.mjs
🚧 Files skipped from review as they are similar to previous changes (1)
  • eslint.security.config.mjs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant