Appel420 patch 5 #980
Appel420 patch 5 #980
Conversation
This workflow triggers APIsec scans on push and pull request events for the main branch, and allows manual execution. It includes steps for running the scan and uploading results in SARIF format.
This workflow integrates Appknox for mobile application security testing and includes steps for building the app and uploading SARIF reports.
There was a problem hiding this comment.
Pull Request Overview
This PR bumps the package version from 1.0.667 to 1.0.668 and adds two new GitHub Actions workflow files for security scanning (Appknox and APIsec). The workflows appear to be intended for mobile app and API security testing, which don't align with this JavaScript/TypeScript library project.
- Version bump to 1.0.668
- Addition of Appknox workflow for mobile security testing
- Addition of APIsec workflow for API security testing
Reviewed Changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| package.json | Version incremented to 1.0.668 |
| package-lock.json | Lockfile version updated to match package.json |
| .github/workflows/appknox.yml | New workflow for mobile app security scanning with Appknox |
| .github/workflows/apisec-scan.yml | New workflow for API security testing with APIsec |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Grant execute permission for gradlew | ||
| run: chmod +x gradlew | ||
|
|
||
| - name: Build the app | ||
| run: ./gradlew build # Update this to build your Android or iOS application | ||
|
|
||
| - name: Appknox GitHub action | ||
| uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 | ||
| with: | ||
| appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} | ||
| file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here | ||
| risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] | ||
| sarif: Enable | ||
|
|
There was a problem hiding this comment.
This workflow attempts to build a mobile application using gradlew, but this is a Node.js/TypeScript library project without any Gradle build files or mobile app components. The workflow will fail at line 37 as gradlew does not exist in this repository.
| - name: Grant execute permission for gradlew | |
| run: chmod +x gradlew | |
| - name: Build the app | |
| run: ./gradlew build # Update this to build your Android or iOS application | |
| - name: Appknox GitHub action | |
| uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 | |
| with: | |
| appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} | |
| file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here | |
| risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] | |
| sarif: Enable | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build the project | |
| run: npm run build | |
| # Update the following Appknox step as needed for your project. | |
| # If you do not produce a mobile app artifact (apk/ipa), you may need to remove or adjust this step. | |
| # - name: Appknox GitHub action | |
| # uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 | |
| # with: | |
| # appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} | |
| # file_path: <path-to-your-artifact> # Specify the path to your .ipa or .apk here, or remove if not applicable | |
| # risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] | |
| # sarif: Enable |
| uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 | ||
| with: | ||
| appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} | ||
| file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here |
There was a problem hiding this comment.
This workflow references a non-existent APK file path. This is a Node.js library that does not produce .apk or .ipa files. The Appknox workflow is designed for mobile app security testing and is not applicable to this project.
| # The Password of the APIsec user with which the scans will be executed | ||
| apisec-password: ${{ secrets.apisec_password}} | ||
| # The name of the project for security scan | ||
| apisec-project: "VAmPI" |
There was a problem hiding this comment.
The hardcoded project name 'VAmPI' appears to be from the workflow template/example and does not correspond to this project (@ghostery/trackerdb). This will cause the workflow to scan the wrong project or fail if the VAmPI project doesn't exist in the APIsec account.
| apisec-project: "VAmPI" | |
| apisec-project: "trackerdb" |
|
Closing, since it is unclear what problem this is intending to solve. Thus, I have to consider it spam. |
2 participants
No description provided.