Skip to content

chore: add security scans #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: add security scans #76

wants to merge 1 commit into from

Conversation

@GabrielVasilescu04
Copy link

Description

Add FOSSA and CODEQL scans to the CI pipeline. Scans should only run on merges to main and if the CI is manually run

@GabrielVasilescu04 GabrielVasilescu04 self-assigned this Oct 7, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 7, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 9, 2025
View reviewed changes
.github/workflows/ci.yml

test:
uses: ./.github/workflows/test.yml
uses: ./.github/workflows/test.yml

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 16 days ago

To fix the problem:

  • Add an explicit permissions: block at the top-level of .github/workflows/ci.yml, just below the workflow's name. This will ensure all jobs, except those with their own permissions block, have the minimum necessary privileges.
  • As a general least-privilege starting point, set contents: read, which is sufficient for most workflows needing to fetch code but not to write anything back to the repository or act on issues, etc.
  • If any downstream jobs/workflows specifically require additional permission, those should have their own explicit job-level permissions block.
  • To implement: Insert the following lines after name: CI and before on:.
Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radu-mocanu radu-mocanu radu-mocanu approved these changes

@cristipufu cristipufu Awaiting requested review from cristipufu

Assignees

@GabrielVasilescu04 GabrielVasilescu04

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GabrielVasilescu04 @radu-mocanu