Blueshoe 459 security check#2
Open
ElCaptaine wants to merge 10 commits into
Open
Conversation
Composite GitHub Action with pip-audit and npm audit, automatic package manager detection (pip/poetry/uv), severity filtering, aggregated JSON results with severity_counts, and GitHub Step Summary
Add test fixtures and CI jobs for Python package manager auto-detection
…ration test Optional webhook support for posting raw pip-audit/npm audit JSON to any compatible API. Adds CI test against watchdog.blueshoe.de using repository secret and variable
…nner Single binary scans all lock files directly (requirements.txt, poetry.lock, uv.lock, package-lock.json) — no package manager installation needed. CVSS severity scores included automatically. Webhook reports to /api/reports/osv as single unified payload
…ve unnecessary setup-python
Standalone action (security-scan-container) that scans container images via osv-scanner. Supports Quay.io, AWS ECR, and generic Docker registries. Includes CI test against alpine:3.17.0 as a public image with known CVEs.
Standalone action (security-gitleaks) that detects leaked secrets using gitleaks. Supports git history and directory-only scan modes, custom configs, baselines, and webhook reporting. Includes CI tests with a fake-secret fixture and a clean-scan verification.
The previous EXAMPLE keys are in gitleaks' built-in allowlist and were silently skipped. Also removed the custom config input from the test since default rules detect the new fixture secrets.
Root .gitleaks.toml allowlists the fixture path, causing gitleaks to skip findings. Pass an explicit config without allowlist from the fixture directory. Also add verbose logging to scan script for debugging
…llowlists Previous fake secrets were filtered by gitleaks' built-in stopwords (alphabetical sequences) and regex allowlists. Verified locally that the new values trigger github-pat and generic-api-key rules.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
security-scancomposite action using osv-scanner for dependency vulnerability scanning/api/reports/osv(compatible with Watchdog)What's included
actions/security-scan/— action.yml + 5 shell scriptsdocs/security-scan.mdWhat's missing (Phase 2)