Skip to content

chore: add security scans #652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: add security scans #652

wants to merge 1 commit into from

Conversation

GabrielVasilescu04
Copy link
Contributor

Description

Add FOSSA and CODEQL scans to the CI pipeline. Scans should only run on merges to main and if the CI is manually run

@GabrielVasilescu04 GabrielVasilescu04 self-assigned this Oct 7, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 7, 2025
View reviewed changes
.github/workflows/ci.yml Outdated
Comment on lines 31 to 32
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_security_scans =='true')
uses: ./.github/workflows/security-scans.yml

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

Copilot Autofix

AI 12 days ago

To fix this problem, add a permissions: block at the root level of the workflow (directly under the name line and before the on block). This will ensure all jobs use the minimal GitHub GITHUB_TOKEN permissions unless they (or a called workflow) further restrict or elevate permissions as needed. As a starting point, set contents: read, which is usually sufficient for most workflows unless they need to create issues, manage deployments, etc. Jobs or called workflows that need more permissions can override this with their own permissions block. Edit .github/workflows/ci.yml, inserting

permissions:
  contents: read

after the name: CI line (as line 2), shifting all other lines down by one.

No new methods, imports, or definitions are required for this change.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
.github/workflows/security-scans.yml Outdated
languages: python

- name: Setup uv
uses: astral-sh/setup-uv@v5

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'Security Stages' step [Uses Step](1) uses 'astral-sh/setup-uv' with ref 'v5', not a pinned commit hash
.github/workflows/security-scans.yml Outdated
Comment on lines 39 to 56
name: FOSSA Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Run FOSSA scan
uses: fossas/fossa-action@main
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
debug: true

- name: Upload FOSSA artifact
uses: actions/upload-artifact@v4
with:
name: fossa.debug.json.gz
path: ./fossa.debug.json.gz

No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

Copilot Autofix

AI 12 days ago

To resolve this issue, set an explicit permissions block for the "fossa" job in .github/workflows/security-scans.yml. This restricts the GITHUB_TOKEN to only the minimal privileges needed for this job. The FOSSA scan job generally only requires reading the repository contents for scanning, so setting contents: read is appropriate. Insert the following block just after runs-on: ubuntu-latest and before steps: for the "fossa" job:

permissions:
  contents: read

No imports, methods, or additional variable definitions are necessary. Only a one-block addition to the job definition inside the workflow YAML file is required.

Suggested changeset 1
.github/workflows/security-scans.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
--- a/.github/workflows/security-scans.yml
+++ b/.github/workflows/security-scans.yml
@@ -38,6 +38,8 @@
   fossa:
     name: FOSSA Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
EOF
@@ -38,6 +38,8 @@
fossa:
name: FOSSA Scan
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
.github/workflows/security-scans.yml Outdated
uses: actions/checkout@v4

- name: Run FOSSA scan
uses: fossas/fossa-action@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'Security Stages' step [Uses Step](1) uses 'fossas/fossa-action' with ref 'main', not a pinned commit hash
@GabrielVasilescu04 GabrielVasilescu04 changed the title chore: Add FOSSA and CODEQL scans chore: add security scans Oct 7, 2025
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radu-mocanu radu-mocanu radu-mocanu approved these changes

@cristipufu cristipufu Awaiting requested review from cristipufu

Assignees

@GabrielVasilescu04 GabrielVasilescu04

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GabrielVasilescu04 @radu-mocanu