sec: repo hygiene (pin actions, dependabot cooldown, postcss CVE)#18
Merged
Conversation
Repo-hygiene findings from the Svalinn scan (semgrep + trivy). No control-plane runtime change; these are CI/deps/config only. Handled in the human lane because Brokk's forge cannot push .github/workflows/* — its GitHub App lacks the `workflows` permission (its earlier run on the action-tag card was remote- rejected on push). - Pin GitHub Actions to full SHAs (semgrep github-actions-mutable-action-tag, 6 occurrences): actions/checkout, pnpm/action-setup, actions/setup-node in ci.yml; actions/checkout + github/codeql-action init/analyze in codeql.yml. Mutable tags can be silently repointed by the action owner (supply chain). Dependabot's github-actions ecosystem (already configured) keeps them current. - Dependabot cooldown (semgrep dependabot-missing-cooldown): a 7-day default-days on both update entries so a freshly published — possibly compromised — version isn't proposed until it has aged. - postcss CVE-2026-41305 (trivy): the vulnerable postcss@8.4.31 was pinned transitively by next@15.5.19 (the panel's direct postcss is already 8.5.15). Add a pnpm override postcss@8.4.31 -> 8.5.15, deduping to the version already exercised by the tailwind/autoprefixer chain in this same build. Note: CI workflows are currently dormant (GitHub Actions quota exhausted) — pinning is still valid supply-chain hygiene and future-proofs re-enablement. Findings: semgrep #16-21, #23-24, trivy postcss. See remediation log. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Higiene de repo (semgrep + trivy). Sem mudança de runtime do control-plane — CI/deps/config só. Lane humana porque a forja do Brokk não consegue empurrar
.github/workflows/*(o GitHub App dela não tem a permissãoworkflows→ o run anterior no card de action-tag foi remote-rejected no push).cooldown: default-days 7nas 2 entriespostcss@8.4.31 -> 8.5.15(era pinado transitivo pelonext@15.5.19; direto do panel já é 8.5.15)Verificação
pnpm install --frozen-lockfileno panel passa; lockfile sem bloco de resolução do8.4.31(dedup p/ 8.5.15, versão já usada pelo tailwind/autoprefixer no mesmo build).# v4/# v3; dependabot (ecosystem github-actions já configurado) mantém atualizados.Notas
unsafe-formatstring(worker + example) enpm-missing-minimum-release-agenão entram aqui: triados como falso-positivo / wontfix (ver log).🤖 Generated with Claude Code