CI/CD security baseline: CodeQL config, SBOM submission, markdown/changelog gates#61
Conversation
Reviewer's GuideEstablishes a CI/CD security baseline by centralizing CodeQL configuration, submitting SBOM-based dependency snapshots to GitHub, tightening markdown/changelog linting in the main lint gate, documenting the plan, and refreshing workflow action pins to current, maintained commits. Sequence diagram for SBOM generation and dependency snapshot submissionsequenceDiagram
participant GH as GitHub_Events
participant SBW as sbom_workflow
participant Repo as Repository
participant NPM as npm_CLI
participant Anchore as anchore_sbom_action
participant DepGraph as GitHub_Dependency_Graph
GH->>SBW: Trigger sbom.yml (push / manual)
SBW->>Repo: Checkout code
SBW->>NPM: npm ci
NPM-->>SBW: Dependencies installed
SBW->>NPM: npm run sbom
NPM-->>Repo: Write CycloneDX SBOM (dist/security/sbom/sbom.cyclonedx.json)
SBW->>SBW: Upload CycloneDX SBOM artifact
SBW->>SBW: Ensure SBOM output directory
SBW->>Anchore: Run sbom-action (path ., format spdx-json, dependency-snapshot true)
Anchore->>Repo: Generate SPDX SBOM (dist/security/sbom/sbom.spdx.json)
Anchore->>DepGraph: Submit dependency snapshot
DepGraph-->>Anchore: Snapshot accepted
Anchore-->>SBW: Action completed
Class diagram for validate-changelog.js module structureclassDiagram
class ValidateChangelogModule {
<<module>>
+string ROOT_DIR
+string DEFAULT_CHANGELOG_PATH
+RegExp RELEASE_HEADING_PATTERN
+RegExp SECTION_HEADING_PATTERN
+Set ALLOWED_SECTION_HEADINGS
+Set STANDARD_SECTION_HEADINGS
+boolean isValidIsoDate(value)
+ReleaseHeading[] collectReleaseHeadings(lines)
+SectionHeading[] collectSectionHeadings(lines, startLineIndex, endLineIndex)
+string[] validateChangelogContent(content)
+string[] validateChangelogFile(changelogPath)
+void run()
}
class ReleaseHeading {
+number lineIndex
+number lineNumber
+string version
+string date
}
class SectionHeading {
+number lineIndex
+number lineNumber
+string name
}
ValidateChangelogModule "*" o-- ReleaseHeading : uses
ValidateChangelogModule "*" o-- SectionHeading : uses
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughThis PR introduces CI/CD security enhancements including CodeQL configuration, GitHub Actions version updates across multiple workflows, markdown and changelog validation tooling, SBOM generation capabilities, and supporting documentation and test coverage for the new validation infrastructure. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~28 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Review Summary by QodoCI/CD security baseline: CodeQL config, SBOM submission, changelog validation
WalkthroughsDescription• Add changelog validator script with comprehensive format checks • Implement markdown style linting via markdownlint-cli configuration • Create CodeQL centralized config to exclude generated build artifacts • Update SBOM workflow to submit dependency snapshot to GitHub security • Refresh all GitHub Actions pins to current maintained release commits Diagramflowchart LR
A["Changelog Validator"] --> B["Lint Gate"]
C["Markdown Style Lint"] --> B
D["CodeQL Config"] --> E["Code Scanning"]
F["SBOM Generation"] --> G["Dependency Snapshot"]
G --> H["GitHub Security"]
I["Action Pins"] --> J["Maintained Versions"]
B --> K["CI/CD Baseline"]
E --> K
H --> K
J --> K
File Changes1. scripts/validate-changelog.js
|
Summary of ChangesHello @Mehdi-Bl, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the project's CI/CD security and quality posture. It establishes a robust security baseline by integrating static code analysis with CodeQL, improving software supply-chain visibility through SBOM submission, and enforcing documentation quality standards with new markdown and changelog validation gates. These changes aim to proactively identify vulnerabilities and maintain high code and documentation quality. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The
lintscript now always runschangelog:validate, which will fail ifCHANGELOG.mdis missing; consider either skipping validation when the file is absent or providing a separate CI-only script so local linting remains usable in freshly cloned or experimental branches. - The
markdownlintinvocation targets"**/*.{md,mdx}"while only ignoringnode_modulesanddist; you may want to extend the ignore set (e.g.,coverage,build, generated docs) to avoid enforcing style on generated Markdown artifacts.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `lint` script now always runs `changelog:validate`, which will fail if `CHANGELOG.md` is missing; consider either skipping validation when the file is absent or providing a separate CI-only script so local linting remains usable in freshly cloned or experimental branches.
- The `markdownlint` invocation targets `"**/*.{md,mdx}"` while only ignoring `node_modules` and `dist`; you may want to extend the ignore set (e.g., `coverage`, `build`, generated docs) to avoid enforcing style on generated Markdown artifacts.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a solid baseline for CI/CD security and quality. The addition of a CodeQL configuration, markdown linting, and changelog validation significantly improves the project's maintainability and robustness. The new documentation in docs/plan/cicd_security.md is clear and provides a great overview of the implemented quality gates. I've added a few suggestions to further improve the new changelog validation script and to optimize the execution of the new linting tasks.
| "lint": "cross-env ESLINT_USE_FLAT_CONFIG=false eslint src tests --ext .js,.jsx,.ts,.tsx --cache && npm run lint:md && npm run changelog:validate", | ||
| "lint:md": "npm run lint:md:links && npm run lint:md:style", |
There was a problem hiding this comment.
The lint and lint:md scripts run their sub-tasks sequentially using &&. Since these linting tasks (ESLint, markdown links, markdown style, changelog validation) are independent, you could run them in parallel to potentially speed up the overall linting process. You already have concurrently in your devDependencies, which would be perfect for this.
To do this, you would need to extract the eslint command into its own script (e.g., eslint-main), and then orchestrate the parallel execution as shown in the suggestion.
| "lint": "cross-env ESLINT_USE_FLAT_CONFIG=false eslint src tests --ext .js,.jsx,.ts,.tsx --cache && npm run lint:md && npm run changelog:validate", | |
| "lint:md": "npm run lint:md:links && npm run lint:md:style", | |
| "lint": "concurrently \"npm:eslint-main\" \"npm:lint:md\" \"npm:changelog:validate\"", | |
| "lint:md": "concurrently \"npm:lint:md:links\" \"npm:lint:md:style\"", |
| const RELEASE_HEADING_PATTERN = /^##\s+\[(v?\d+\.\d+\.\d+(?:-[A-Za-z0-9.-]+)?)\]\s+-\s+(\d{4}-\d{2}-\d{2})\s*$/; | ||
| const SECTION_HEADING_PATTERN = /^###\s+(.+?)\s*$/; |
There was a problem hiding this comment.
For improved readability and maintainability, you could use named capture groups for these regular expressions. This makes the intent of the captured groups explicit and avoids relying on index-based access later in the code.
| const RELEASE_HEADING_PATTERN = /^##\s+\[(v?\d+\.\d+\.\d+(?:-[A-Za-z0-9.-]+)?)\]\s+-\s+(\d{4}-\d{2}-\d{2})\s*$/; | |
| const SECTION_HEADING_PATTERN = /^###\s+(.+?)\s*$/; | |
| const RELEASE_HEADING_PATTERN = /^##\s+\[(?<version>v?\d+\.\d+\.\d+(?:-[A-Za-z0-9.-]+)?) \]\s+-\s+(?<date>\d{4}-\d{2}-\d{2})\s*$/; | |
| const SECTION_HEADING_PATTERN = /^###\s+(?<name>.+?)\s*$/; |
| return false; | ||
| } | ||
|
|
||
| const [year, month, day] = value.split('-').map((part) => Number(part)); |
There was a problem hiding this comment.
You can simplify this mapping by passing the Number constructor directly to map.
| const [year, month, day] = value.split('-').map((part) => Number(part)); | |
| const [year, month, day] = value.split('-').map(Number); |
| version: match[1], | ||
| date: match[2], |
There was a problem hiding this comment.
With the change to use named capture groups in RELEASE_HEADING_PATTERN, you can now access the captured values by name, which is more readable and less error-prone than using indices.
| version: match[1], | |
| date: match[2], | |
| version: match.groups.version, | |
| date: match.groups.date, |
| headings.push({ | ||
| lineIndex: index, | ||
| lineNumber: index + 1, | ||
| name: match[1], |
There was a problem hiding this comment.
With the change to use a named capture group in SECTION_HEADING_PATTERN, you can access the captured value by name for better code clarity.
| name: match[1], | |
| name: match.groups.name, |
Code Review by Qodo
1. SBOM PR write permission
|
![qodo-free-for-open-source-projects[bot]](https://avatars.githubusercontent.com/in/1068000?s=60&v=4){kind=small}
|
|
||
| permissions: | ||
| contents: read | ||
| contents: write |
There was a problem hiding this comment.
1. Sbom pr write permission 🐞 Bug ⛨ Security
.github/workflows/sbom.yml now grants contents: write at workflow scope while also running on pull_request, which is broader than necessary and increases risk if PR code paths are abused. The dependency snapshot step is guarded, but the write-scoped token still applies to the whole job; this should be split/scoped to non-PR contexts or a separate job with elevated permissions only when needed.
Agent Prompt
### Issue description
`.github/workflows/sbom.yml` grants `contents: write` for all triggers including `pull_request`. Even though the dependency snapshot submission step is gated, the elevated token permission is still present for the whole job.
### Issue Context
Only the dependency snapshot submission needs elevated privileges; CycloneDX SBOM artifact generation and upload do not.
### Fix Focus Areas
- .github/workflows/sbom.yml[1-53]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| if (index === 0) { | ||
| if (sectionHeadings.length === 0) { | ||
| errors.push( | ||
| `Latest release ${release.version} must include at least one section heading (for example: Added, Changed, Improved, Fixed, Security).` | ||
| ); | ||
| continue; | ||
| } | ||
|
|
||
| const hasStandardSection = sectionHeadings.some((section) => | ||
| STANDARD_SECTION_HEADINGS.has(section.name) | ||
| ); | ||
| if (!hasStandardSection) { | ||
| errors.push( | ||
| `Latest release ${release.version} must include at least one standard section heading: Added, Changed, Improved, Fixed, or Security.` | ||
| ); | ||
| } |
There was a problem hiding this comment.
2. Release script vs changelog gate 🐞 Bug ✓ Correctness
The new changelog validator requires the *latest* release entry to contain at least one ### section heading (e.g., Added/Fixed), and npm run lint now enforces it. However, the existing release automation (scripts/lib/release.js) generates new changelog entries without any ### sections, so using the release script will produce a CHANGELOG that fails the new lint gate.
Agent Prompt
### Issue description
Changelog validation now requires section headings for the latest release, but the existing release automation writes entries without them. This makes the release script produce a CHANGELOG that fails `npm run lint`.
### Issue Context
- Validator requires at least one `###` section heading for the latest release.
- `npm run lint` now runs `changelog:validate`.
- `scripts/lib/release.js` currently writes only `## [vX.Y.Z] - YYYY-MM-DD` + bullet list.
### Fix Focus Areas
- scripts/lib/release.js[83-89]
- scripts/validate-changelog.js[126-141]
- package.json[20-24]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
|
1 participant
Summary
Validation
Summary by Sourcery
Strengthen the CI/CD security and quality baseline by centralizing CodeQL configuration, enforcing documentation and changelog linting in the lint gate, and wiring SBOM generation into GitHub dependency graph submission while refreshing workflow action pins.
New Features:
Enhancements:
Build:
Tests:
Summary by CodeRabbit
Release Notes
Documentation
Chores
Tests