Release JavaScript AWS KMS Storage v1.0.0#875
Conversation
* Bump version * fix: resolve DOM Clobbering CVE-2024-43788 (#689) * fix: resolve DOM Clobbering CVE-2024-43788 * Upgrade JavaScript tests GHA to use Node 20 * fixed moduleResolution in tsconfig updated all dependencies * Added Support for KSM JS SDK to be able to use a key from AWS to encrypt local config * Added rimraf to devDependencies. * Fixed issue with KMS overwriting configuration file even wne encryption failed --------- Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: satish_chandra <metron_satish@safebreach.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/aws | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/aws/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To resolve the issue, an explicit permissions block should be added to limit the permissions granted to the workflow's jobs. The least-privilege starting point is typically contents: read, which allows jobs to clone and read the repository content but does not permit write operations. This block can be added either at the root level of the workflow, applying to all jobs, or just to the specific job. Since the workflow contains only one job (test), either location is acceptable, but best practice is to place it at the root for future extensibility. The modification involves editing .github/workflows/test.javascript.storage.aws.kms.yml by inserting the following block after the name: and before the on: section:
permissions:
contents: readNo new imports, methods, or definitions are required beyond adding this block.
| @@ -1,4 +1,6 @@ | ||
| name: Test JavaScript Storage - AWS KMS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| needs: generate-sbom | ||
| if: ${{ github.event.inputs.publish == 'true' }} | ||
| environment: prod | ||
| runs-on: ubuntu-latest | ||
|
|
||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/aws | ||
|
|
||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Retrieve secrets from KSM | ||
| id: ksmsecrets | ||
| uses: Keeper-Security/ksm-action@master | ||
| with: | ||
| keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} | ||
| secrets: | | ||
| NScQiZwrHJFCPv1gL8TX6Q/field/password > env:NPM_TOKEN | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install | ||
|
|
||
| - name: Build package | ||
| run: npm run build | ||
|
|
||
| - name: Publish package | ||
| run: npm publish |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly declare a permissions block that limits the GITHUB_TOKEN to the least privileges required by the workflow. This can be done at the workflow root (applies to all jobs) or per job. Because both generate-sbom and publish-npm only need to read repository contents (checkout), we can safely set permissions: contents: read at the workflow level. Neither job needs to write to the repo, manage issues/PRs, or interact with other GitHub resources.
The best fix with minimal functional impact is: add a top‑level permissions block just under the name: (and before on: or before jobs:) specifying contents: read. This keeps behavior the same (they already only read contents) while ensuring the token cannot be used to perform unintended write operations against the repository. No other scopes appear necessary: publishing to npm uses NPM_TOKEN from secrets; SBOM generation and upload use MANIFEST_API_KEY, not GITHUB_TOKEN. Concretely, edit .github/workflows/publish.npm.storage.aws.kms.yml to insert:
permissions:
contents: readimmediately after line 1, or otherwise at the workflow root.
| @@ -1,4 +1,6 @@ | ||
| name: Publish AWS Storage to NPM | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
…m8vf - Updates @smithy/config-resolver from 4.1.0 to 4.4.6 - Resolves LOW severity vulnerability (CVSS 3.7) - Defense-in-depth enhancement for region parameter validation
- Adds npm install step to generate-sbom job - Ensures Syft scans actual installed dependencies - Resolves phantom @smithy/config-resolver@4.1.0 detection
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20' | ||
|
|
||
| - name: Install package dependencies | ||
| run: npm install | ||
| working-directory: ./sdk/javascript/packages/aws | ||
|
|
||
| - name: Install Syft | ||
| run: | | ||
| echo "Installing Syft v1.18.1..." | ||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp/bin v1.18.1 | ||
| echo "/tmp/bin" >> $GITHUB_PATH | ||
|
|
||
| - name: Install Manifest CLI | ||
| run: | | ||
| echo "Installing Manifest CLI v0.18.3..." | ||
| curl -sSfL https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh | sh -s -- -b /tmp/bin v0.18.3 | ||
|
|
||
| - name: Create Syft configuration | ||
| run: | | ||
| cat > syft-config.yaml << 'EOF' | ||
| package: | ||
| search: | ||
| scope: all-layers | ||
| cataloger: | ||
| enabled: true | ||
| java: | ||
| enabled: false | ||
| python: | ||
| enabled: false | ||
| nodejs: | ||
| enabled: true | ||
| EOF | ||
|
|
||
| - name: Generate and upload SBOM | ||
| env: | ||
| MANIFEST_API_KEY: ${{ secrets.MANIFEST_TOKEN }} | ||
| run: | | ||
| JAVASCRIPT_SDK_DIR="./sdk/javascript" | ||
|
|
||
| # Get version from package.json | ||
| echo "Detecting AWS Storage version..." | ||
| if [ -f "${JAVASCRIPT_SDK_DIR}/packages/aws/package.json" ]; then | ||
| VERSION=$(grep -o '"version": "[^"]*"' "${JAVASCRIPT_SDK_DIR}/packages/aws/package.json" | cut -d'"' -f4) | ||
| echo "Detected version: ${VERSION}" | ||
| else | ||
| VERSION="1.0.0" | ||
| echo "Could not detect version, using default: ${VERSION}" | ||
| fi | ||
|
|
||
| echo "Generating SBOM with Manifest CLI..." | ||
| /tmp/bin/manifest sbom "${JAVASCRIPT_SDK_DIR}/packages/aws" \ | ||
| --generator=syft \ | ||
| --name=keeper-secrets-manager-javascript-storage-aws-kms \ | ||
| --version=${VERSION} \ | ||
| --output=spdx-json \ | ||
| --file=aws-storage-sbom.json \ | ||
| --api-key=${MANIFEST_API_KEY} \ | ||
| --publish=true \ | ||
| --asset-label=application,sbom-generated,nodejs,aws-storage \ | ||
| --generator-config=syft-config.yaml | ||
|
|
||
| echo "SBOM generated and uploaded successfully: aws-storage-sbom.json" | ||
| echo "---------- SBOM Preview (first 20 lines) ----------" | ||
| head -n 20 aws-storage-sbom.json | ||
|
|
||
| publish-npm: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to add an explicit permissions: block that grants only the minimal required access for the GITHUB_TOKEN. Since neither job interacts with repository contents in a write fashion (no pushes, releases, PR updates, etc.), we can safely set contents: read only. This both adheres to least privilege and documents the intended permissions.
The single best way here, without changing existing behavior, is to add a workflow‑level permissions: block, right after the name: or on: section. This will apply to all jobs that don’t define their own permissions: block. For this workflow, a minimal and appropriate configuration is:
permissions:
contents: readThis gives the jobs just enough permission for actions (like actions/checkout) that rely on reading repository contents, while disallowing writes. No imports, methods, or additional YAML keys are needed beyond inserting this permissions mapping into .github/workflows/publish.npm.storage.aws.kms.yml.
| @@ -1,4 +1,6 @@ | ||
| name: Publish AWS Storage to NPM | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
Fixes GHSA-7h2j-956f-4vf2 (CVE-2026-25547) DoS vulnerability
2 participants
Release of @keeper-security/secrets-manager-aws v1.0.0
AWS Key Management Service integration for secure storage of Keeper Secrets Manager configuration.
Dependencies:
Closes https://keeper.atlassian.net/browse/KSM-703