Release JavaScript GCP KMS Storage v1.0.0#874
Conversation
* Bump version * fix: resolve DOM Clobbering CVE-2024-43788 (#689) * fix: resolve DOM Clobbering CVE-2024-43788 * Upgrade JavaScript tests GHA to use Node 20 * fixed moduleResolution in tsconfig updated all dependencies * Added GCP KMS support to KSM Javascript SDK * Added RAW_Encrypt functionality * Revert "Added RAW_Encrypt functionality" This reverts commit f6616be. * * Fixed issues related to writing to file even when encryption failed * Added support for GCP Raw Encrypt Decrypt type of key --------- Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: satish_chandra <metron_satish@safebreach.com> Co-authored-by: Ayush Asati <ayush.asati@metronlabs.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/gcp | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/gcp/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To address the issue, the workflow YAML should be updated to specify a permissions block at the job or workflow root, stating the minimal necessary privileges. Since this workflow simply checks out code and runs tests — and does not perform write operations to the repository or PRs — the safest default is to set contents: read. This should be added as a new block immediately after the name: directive and before the on: directive (workflow root), or alternatively inside the test job. For clarity and to avoid unexpected privilege inheritance, the recommended location is at the workflow root; this will apply minimal permissions to all jobs.
No new methods or imports are needed to implement this; simply add the following YAML block in the right place:
permissions:
contents: read| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - GCP KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
| needs: generate-sbom | ||
| if: ${{ github.event.inputs.publish == 'true' }} | ||
| environment: prod | ||
| runs-on: ubuntu-latest | ||
|
|
||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/gcp | ||
|
|
||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Retrieve secrets from KSM | ||
| id: ksmsecrets | ||
| uses: Keeper-Security/ksm-action@master | ||
| with: | ||
| keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} | ||
| secrets: | | ||
| NScQiZwrHJFCPv1gL8TX6Q/field/password > env:NPM_TOKEN | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install | ||
|
|
||
| - name: Build package | ||
| run: npm run build | ||
|
|
||
| - name: Publish package | ||
| run: npm publish |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly set permissions for the GITHUB_TOKEN at either the workflow level or per job, restricting them to the minimum required (typically contents: read for workflows that only need to fetch code). Since this workflow only checks out code and runs local build/publish tooling, and does not interact with GitHub resources in a write-capacity, contents: read is sufficient. No existing functionality relies on broader permissions.
The best, least-invasive fix here is to add a top-level permissions block just under name: (or under on:), so it applies to both generate-sbom and publish-npm without duplicating configuration. Specifically, in .github/workflows/publish.npm.storage.gcp.kms.yml, after line 1 (name: Publish GCP Storage to NPM), insert:
permissions:
contents: readThis documents the workflow’s requirement and ensures that even if the repo/org default changes or the workflow is copied elsewhere, the GITHUB_TOKEN used by both jobs will be limited to read-only access to repository contents. No new imports, tools, or additional methods are needed.
| @@ -1,4 +1,6 @@ | ||
| name: Publish GCP Storage to NPM | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
- Updates @google-cloud/kms from 4.5.0 to 5.2.1 - Updates jws from 4.0.0 to 4.0.1 (via google-auth-library) - Resolves HIGH severity vulnerability (CVSS 7.5) - Fixes improper HMAC signature verification in auth0/node-jws
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20' | ||
|
|
||
| - name: Install package dependencies | ||
| run: npm install | ||
| working-directory: ./sdk/javascript/packages/gcp | ||
|
|
||
| - name: Install Syft | ||
| run: | | ||
| echo "Installing Syft v1.18.1..." | ||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp/bin v1.18.1 | ||
| echo "/tmp/bin" >> $GITHUB_PATH | ||
|
|
||
| - name: Install Manifest CLI | ||
| run: | | ||
| echo "Installing Manifest CLI v0.18.3..." | ||
| curl -sSfL https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh | sh -s -- -b /tmp/bin v0.18.3 | ||
|
|
||
| - name: Create Syft configuration | ||
| run: | | ||
| cat > syft-config.yaml << 'EOF' | ||
| package: | ||
| search: | ||
| scope: all-layers | ||
| cataloger: | ||
| enabled: true | ||
| java: | ||
| enabled: false | ||
| python: | ||
| enabled: false | ||
| nodejs: | ||
| enabled: true | ||
| EOF | ||
|
|
||
| - name: Generate and upload SBOM | ||
| env: | ||
| MANIFEST_API_KEY: ${{ secrets.MANIFEST_TOKEN }} | ||
| run: | | ||
| JAVASCRIPT_SDK_DIR="./sdk/javascript" | ||
|
|
||
| # Get version from package.json | ||
| echo "Detecting GCP Storage version..." | ||
| if [ -f "${JAVASCRIPT_SDK_DIR}/packages/gcp/package.json" ]; then | ||
| VERSION=$(grep -o '"version": "[^"]*"' "${JAVASCRIPT_SDK_DIR}/packages/gcp/package.json" | cut -d'"' -f4) | ||
| echo "Detected version: ${VERSION}" | ||
| else | ||
| VERSION="1.0.0" | ||
| echo "Could not detect version, using default: ${VERSION}" | ||
| fi | ||
|
|
||
| echo "Generating SBOM with Manifest CLI..." | ||
| /tmp/bin/manifest sbom "${JAVASCRIPT_SDK_DIR}/packages/gcp" \ | ||
| --generator=syft \ | ||
| --name=keeper-secrets-manager-javascript-storage-gcp-kms \ | ||
| --version=${VERSION} \ | ||
| --output=spdx-json \ | ||
| --file=gcp-storage-sbom.json \ | ||
| --api-key=${MANIFEST_API_KEY} \ | ||
| --publish=true \ | ||
| --asset-label=application,sbom-generated,nodejs,gcp-storage \ | ||
| --generator-config=syft-config.yaml | ||
|
|
||
| echo "SBOM generated and uploaded successfully: gcp-storage-sbom.json" | ||
| echo "---------- SBOM Preview (first 20 lines) ----------" | ||
| head -n 20 gcp-storage-sbom.json | ||
|
|
||
| publish-npm: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to define an explicit permissions: block that restricts the GITHUB_TOKEN to the minimal scopes required. Since this workflow only checks out code and runs commands, it only needs read access to repository contents. We can apply this at the root level so it covers all jobs, unless a job requires additional scopes (none are apparent here).
The best minimal fix without changing existing behavior is to add a workflow‑level permissions: block right after the name: (or after on:) that sets contents: read. This will apply to both generate-sbom and publish-npm, and does not interfere with publishing to NPM because that uses an explicit NPM_TOKEN, not GITHUB_TOKEN. Concretely, edit .github/workflows/publish.npm.storage.gcp.kms.yml to insert:
permissions:
contents: readnear the top, leaving all jobs and steps unchanged.
| @@ -8,6 +8,9 @@ | ||
| default: true | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| generate-sbom: | ||
| runs-on: ubuntu-latest |
Fixes GHSA-7h2j-956f-4vf2 (CVE-2026-25547) DoS vulnerability
2 participants
Release of @keeper-security/secrets-manager-gcp v1.0.0
Google Cloud Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Closes https://keeper.atlassian.net/browse/KSM-704