feat: add missing security workflows (dependency-review, trivy, zizmor)#56
feat: add missing security workflows (dependency-review, trivy, zizmor)#56
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Set Complaice |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 862d41e3e7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
.github/workflows/zizmor.yml
Outdated
| zizmor --format plain .github/workflows/ | ||
| EXIT_CODE=$? |
There was a problem hiding this comment.
This step currently runs zizmor --format plain .github/workflows/ as a standalone command, but GitHub Actions executes run scripts with bash -e, so a non-zero zizmor exit (i.e., findings detected) aborts the script before EXIT_CODE=$? and the warning path run. In practice, workflow-security findings will fail the job and block the PR, which contradicts the documented advisory intent for this workflow.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds the missing GitHub Actions security workflows referenced in the repo’s compliance/security documentation, closing the gap between documented controls and implemented controls.
Changes:
- Adds a Dependency Review workflow to block PRs that introduce HIGH/CRITICAL vulnerable dependencies.
- Adds a Trivy filesystem scan workflow that uploads SARIF results to GitHub Code Scanning (with fork-PR upload safeguards).
- Adds a zizmor workflow to audit workflow-file changes in advisory mode.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/dependency-review.yml |
Adds dependency diff vulnerability gating for PRs into master/work. |
.github/workflows/trivy.yml |
Adds Trivy FS scanning and SARIF upload to Code Scanning with fork-PR upload skip logic. |
.github/workflows/zizmor.yml |
Adds advisory zizmor auditing for changes under .github/workflows/**. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| zizmor --format plain .github/workflows/ | ||
| EXIT_CODE=$? | ||
| if [ $EXIT_CODE -ne 0 ]; then | ||
| echo "::warning::zizmor found workflow security findings (advisory). Review the output above before merging." | ||
| fi | ||
| exit 0 |
| permissions: | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| jobs: | ||
| trivy: | ||
| name: Trivy filesystem scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Run Trivy filesystem scan | ||
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.30.0 |
|
This is a strong narrow candidate for near-term merge pending focused human review of workflow permissions and SARIF behavior. |
|
This is a strong, narrow candidate for near-term merge pending focused human review of workflow permissions and SARIF behavior. |
chrismaz11
added
the
merge-soon
Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com>
chrismaz11
force-pushed
the
copilot/setup-trustsignal-dev-org
branch
from
e9c90fb to
774b905
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 774b905bf7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| branches: | ||
| - master | ||
| - work |
There was a problem hiding this comment.
This trigger only matches PRs into master/work, so PRs targeting main will never execute the blocking dependency diff check. Given the repository’s branch-protection guidance and required-check setup are defined for main, this leaves the intended high/critical dependency gate inactive on the branch where merges are expected; include main (or remove the branch filter) so the control actually enforces there.
Useful? React with 👍 / 👎.
| - master | ||
| - work | ||
| pull_request: | ||
| branches: | ||
| - master |
There was a problem hiding this comment.
The Trivy workflow is scoped to master/work, so it will not run for activity on main; that means no filesystem scan and no SARIF refresh for the primary protected branch described in the repo docs. Add main to both push and pull_request branch filters (or broaden the trigger) to avoid silently losing security coverage on the branch used for compliance checks.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a6441e5c26
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (!parsed.password) { | ||
| parsed.password = encodeURIComponent(supabasePassword); |
There was a problem hiding this comment.
In the SUPABASE_DB_PASSWORD fallback path, this check only injects the provided password when parsed.password is empty, but Supabase pooler URLs can contain placeholder credentials like [YOUR-PASSWORD] that parse as a non-empty password. In that case, DATABASE_URL is set to a URL with invalid credentials and Prisma startup/auth fails even though the real password is present in SUPABASE_DB_PASSWORD. Treat placeholder/stale passwords as missing (or overwrite unconditionally in this fallback branch).
Useful? React with 👍 / 👎.
| path.resolve(process.cwd(), '../../.env.local'), | ||
| path.resolve(process.cwd(), '../../.env') |
There was a problem hiding this comment.
These fallback candidates walk two directories up from the current working directory; when the API is started from the repository root, they resolve to /.env.local and /.env. That allows unrelated host-level env files to be loaded and silently influence runtime configuration (including DB credentials), making environment resolution nondeterministic across runners and developer machines. Limit fallback paths to known project locations instead of traversing above repo root.
Useful? React with 👍 / 👎.
Three GitHub Actions security workflows referenced throughout compliance docs (
security-workflows.md,github-settings-checklist.md,security-posture.md) did not exist in the repo, creating a gap between documented controls and implemented controls. This resolves that gap.Changes
.github/workflows/dependency-review.yml— blocks PRs onmaster/workthat introduce HIGH/CRITICAL dependency vulnerabilities viaactions/dependency-review-action@v4.7.1.github/workflows/trivy.yml— filesystem scan on every push/PR; uploads SARIF to code scanning; SARIF upload skipped on forked PRs to avoid permissions failure; advisory (non-blocking).github/workflows/zizmor.yml— audits/.github/workflows/**changes for workflow security issues viapip install zizmor; advisory, emits::warning::annotation on findings rather than failing the jobAll three workflows:
persist-credentials: falseon checkoutpermissions: contents: readat workflow level;security-events: writeadded only where SARIF upload requires itWhat still requires manual GitHub UI action
Branch protection rulesets, Dependabot alerts, secret scanning, and CodeQL default setup — see
docs/github-settings-checklist.md.AI Disclosure (optional)
Review Checklist
💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.