Skip to content

[DO-NOT-MERGE]: For debugging s1 scans #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
asutosh wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[DO-NOT-MERGE]: For debugging s1 scans #99

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
70dbf0a
Add debug for debugging cli issues
asutosh Dec 5, 2025
359898f
Fix debug flag position
asutosh Dec 8, 2025
c9fa5e5
Remove debug for vuln scans
asutosh Dec 8, 2025
b96f1fe
Remove godebug, revert debug cli flags for vuln scans
asutosh Dec 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .github/workflows/s1-cns-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,40 +58,42 @@
ref: ${{ github.ref }}
filter: tree:0
fetch-depth: 0

- name: Configure SentinelOne Shift Left CLI
run: s1-cns-cli config --service-user-api-token "$S1_TOKEN" --management-console-url "$CONSOLE_URL" --scope-type "$SCOPE_TYPE" --scope-id "$SCOPE_ID" --tag "$TAG"
run: s1-cns-cli config --debug --service-user-api-token "$S1_TOKEN" --management-console-url "$CONSOLE_URL" --scope-type "$SCOPE_TYPE" --scope-id "$SCOPE_ID" --tag "$TAG"
env:
S1_TOKEN: ${{ secrets.S1_API_TOKEN }}
CONSOLE_URL: ${{ secrets.CONSOLE_URL }}
SCOPE_TYPE: ${{ inputs.scope_type }}
SCOPE_ID: ${{ secrets.SCOPE_ID }}
TAG: ${{ inputs.tag }}


- name: Configure git config
run: git config --global --add safe.directory "$PWD"

- name: Run Secret Detector
# Run only on pull requests as we've scans configured to run on pull requests and publish is
# only available on pull requests.
if: github.event_name == 'pull_request' && inputs.secrets_enabled
id: secret-detector
run: s1-cns-cli scan secret -d "$PWD" --pull-request "$SRC" "$DEST" --repo-full-name "$REPO_FULL_NAME" --repo-url "$REPO_URL/$REPO_FULL_NAME" --provider GITHUB --publish-result
run: s1-cns-cli scan secret --debug -d "$PWD" --pull-request "$SRC" "$DEST" --repo-full-name "$REPO_FULL_NAME" --repo-url "$REPO_URL/$REPO_FULL_NAME" --provider GITHUB --publish-result
env:
GODEBUG: http2debug=1
DEST: ${{ github.event.pull_request.base.sha }}
SRC: ${{ github.event.pull_request.head.sha }}

- name: Run IaC Scanner
if: inputs.iac_enabled
run: s1-cns-cli scan iac -d "$PWD" --repo-full-name "$REPO_FULL_NAME" --repo-url "$REPO_URL/$REPO_FULL_NAME" --branch "$BRANCH" --provider GITHUB --publish-result
run: s1-cns-cli scan iac --debug -d "$PWD" --repo-full-name "$REPO_FULL_NAME" --repo-url "$REPO_URL/$REPO_FULL_NAME" --branch "$BRANCH" --provider GITHUB --publish-result
id: iac-scanner
env:
GODEBUG: http2debug=1
BRANCH: ${{ github.head_ref || github.ref_name }}

- name: Run Vulnerability Scanner
if: inputs.vuln_enabled

Check failure on line 95 in .github/workflows/s1-cns-scan.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

Enabling verbose debug logging (`--debug` and `GODEBUG=http2debug=1`) for the SentinelOne scanner CLI introduces a critical risk of exposing sensitive data in the GitHub Actions logs. These flags can cause the tool to print secrets, such as the `S1_API_TOKEN`, and other sensitive operational data, which could lead to unauthorized access to the security platform.
Raw output 
Remove the `--debug` flags and `GODEBUG` environment variables from the workflow. While the PR is marked as 'DO-NOT-MERGE' and is intended for temporary debugging, committing changes that can expose secrets to any branch is a significant security risk. This PR should be closed without merging, and the branch should be deleted after the debugging session is complete.
id: vuln-scanner

Check warning on line 96 in .github/workflows/s1-cns-scan.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

Hard-coding debug flags directly into workflow steps is a fragile pattern for troubleshooting. This approach requires creating temporary branches and pull requests, and carries a risk of accidentally merging debug configurations into the main branch, potentially exposing sensitive information in logs. A more robust architectural pattern is to use workflow inputs to control debug verbosity dynamically.
Raw output 
To make debugging a deliberate, reusable, and safer feature of the CI pipeline, consider refactoring the workflow to use a `workflow_dispatch` input to toggle debug flags. This eliminates the need for temporary code changes.

**Example Implementation:**

1. Add a `workflow_dispatch` trigger with a boolean input:
```yaml
on:
  # ... other triggers
  workflow_dispatch:
    inputs:
      debug_enabled:
        description: 'Enable S1 CLI debug logging'
        type: boolean
        default: false
```

2. Conditionally add the `--debug` flag and `GODEBUG` environment variable in the relevant steps:
```yaml
- name: Configure SentinelOne Shift Left CLI
  run: s1-cns-cli config ${{ github.event.inputs.debug_enabled && '--debug' || '' }} --service-user-api-token "$S1_TOKEN" ...

- name: Run Secret Scanner
  run: s1-cns-cli scan secret ${{ github.event.inputs.debug_enabled && '--debug' || '' }} -d "$PWD" ...
  env:
    GODEBUG: ${{ github.event.inputs.debug_enabled && 'http2debug=1' || '' }}
    # ... other env vars
```

Check warning on line 96 in .github/workflows/s1-cns-scan.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The added `--debug` flags and `GODEBUG=http2debug=1` environment variable will significantly increase CI job execution time and log volume. While acceptable for temporary debugging, these changes introduce a performance regression and should not be merged into a long-lived branch.
Raw output 
Ensure these debugging flags are removed before this branch is merged. The `[DO-NOT-MERGE]` prefix in the pull request title is a good safeguard, but the flags should ultimately be reverted to prevent accidental performance degradation in the main branch.

Check warning on line 96 in .github/workflows/s1-cns-scan.yml

View check run for this annotation

probelabs / Visor: quality

security Issue 

Hardcoded debug flags (`--debug` and `GODEBUG=http2debug=1`) have been added. While acceptable for a temporary branch explicitly marked as 'DO-NOT-MERGE', these flags cause verbose logging that can expose sensitive information (like tokens, environment details, or internal application data) in CI output. Merging these changes would create a security risk.
Raw output 
Ensure these debugging flags are removed before this branch is ever considered for merging. For future debugging, consider using a GitHub secret to conditionally enable debug mode (e.g., `if: secrets.DEBUG_MODE == 'true'`) to avoid committing them directly to the workflow file.
run: s1-cns-cli scan vuln --repo-full-name "$REPO_FULL_NAME" ${{ inputs.skip_paths != '' && '--skip-paths "$SKIP_PATHS"' || '' }} -d "$PWD"
run: s1-cns-cli scan vuln --debug --repo-full-name "$REPO_FULL_NAME" ${{ inputs.skip_paths != '' && '--skip-paths "$SKIP_PATHS"' || '' }} -d "$PWD"
env:
SKIP_PATHS: ${{ inputs.skip_paths }}