feat(security): add CodeQL analysis and pre-release version gate#208
feat(security): add CodeQL analysis and pre-release version gate#208
Conversation
WalkthroughAdds configurable CodeQL analysis (languages, fail-on-findings, optional SARIF upload), a Pre-release Version Gate composite action, workflow input and permission changes, an optional Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
lerian-studio
added
size/M
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: Gate - Fail on Pre-release Versions | ||
| if: always() && inputs.enable_prerelease_check && steps.prerelease-check.outputs.has-findings == 'true' | ||
| run: | | ||
| echo "::error::Pre-release version pins detected (${{ steps.prerelease-check.outputs.findings-count }} finding(s)). Production code must not depend on beta or release candidate versions." |
🛡️ CodeQL Analysis ResultsLanguages analyzed: ✅ No security issues found. 🔍 View full scan logs | 🛡️ Security tab |
🔍 Lint Analysis
❌ Failures (1)Pinned Actions
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/pr-security-scan-workflow.md (1)
182-199:⚠️ Potential issue | 🟡 MinorThe Inputs table is still out of sync with the workflow contract.
.github/workflows/pr-security-scan.ymlalso exposesshared_paths,app_name_prefix,app_name_overrides,normalize_to_filter,docker_build_args, andbuild_context_from_working_dir, but they are missing here. That leaves the caller-facing contract incomplete.As per coding guidelines, "Flag if inputs table is out of sync with the corresponding workflow changes in this PR."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 182 - 199, The Inputs table in docs/pr-security-scan-workflow.md is missing inputs added in the workflow (.github/workflows/pr-security-scan.yml); update the table to include the missing inputs shared_paths, app_name_prefix, app_name_overrides, normalize_to_filter, docker_build_args, and build_context_from_working_dir with correct Type, Default, and Description entries matching the workflow contract (use the exact input names as in pr-security-scan.yml and ensure descriptions reflect their behavior so the caller-facing contract is complete).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 92-95: The default for the reusable workflow input
enable_prerelease_check currently defaults to true which will break existing
callers; change its default to false (or gate it behind a new major/minor
version boundary) so the prerelease blocking is opt-in for existing consumers,
updating the input declaration for enable_prerelease_check accordingly to avoid
hard-failing PRs for callers that don’t supply the new input.
- Around line 209-216: The workflow references a feature branch tag in the
composite actions (the `uses:` entries like
LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease)
which will break once that branch is deleted; update each `uses:` to point to a
released semantic version tag (e.g., change
`@feat/pr-security-scan-codeql-prerelease` to the appropriate `@vX.Y.Z` release)
so the Pre-release Version Check (`id: prerelease-check`) and the other four
composite action references resolve reliably after merges.
In `@docs/pr-security-scan-workflow.md`:
- Around line 167-180: The docs are inconsistent about default pre-release
gating and the behavior of enable_docker_scan; update the "CLI / Non-Docker
Projects" section so it matches the new "With Pre-release Version Gate" wording:
state that enable_prerelease_check is enabled by default and clarify that when
enable_docker_scan: false the workflow performs only filesystem secret scanning
plus pre-release checks (i.e., scanning go.mod/package.json/Dockerfile for
-beta/-rc) and does not run Docker Scout; reference the config flags
enable_prerelease_check and enable_docker_scan and update any wording that
currently says "only filesystem scanning" or still references Docker Scout to
reflect the new combined filesystem + pre-release behavior.
In `@src/security/prerelease-check/README.md`:
- Around line 12-15: Update the Inputs table in
src/security/prerelease-check/README.md so the Default for `app-name` exactly
matches the exported default in action.yml (currently an empty string ''), i.e.,
replace the `—` with `''`; ensure the input name `app-name` and the Required and
Default cells match action.yml verbatim to satisfy the action contract
verification.
- Around line 24-30: Update the "Dockerfile" row in the "What it scans" table to
reflect all filename patterns the action actually scans — replace the single
`Dockerfile` cell with `Dockerfile`, `*.dockerfile`, `Dockerfile.*` (keep the
existing pattern `:X.Y.Z-beta.*` / `:X.Y.Z-rc.*` and example
`golang:1.21.0-beta1` unchanged) so callers see the exact coverage used by the
gate.
---
Outside diff comments:
In `@docs/pr-security-scan-workflow.md`:
- Around line 182-199: The Inputs table in docs/pr-security-scan-workflow.md is
missing inputs added in the workflow (.github/workflows/pr-security-scan.yml);
update the table to include the missing inputs shared_paths, app_name_prefix,
app_name_overrides, normalize_to_filter, docker_build_args, and
build_context_from_working_dir with correct Type, Default, and Description
entries matching the workflow contract (use the exact input names as in
pr-security-scan.yml and ensure descriptions reflect their behavior so the
caller-facing contract is complete).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: c6b503cb-09cf-4402-b8ce-154c21e84bbe
📒 Files selected for processing (4)
.github/workflows/pr-security-scan.ymldocs/pr-security-scan-workflow.mdsrc/security/prerelease-check/README.mdsrc/security/prerelease-check/action.yml
| enable_prerelease_check: | ||
| description: 'Block dependencies pinned to pre-release versions (-beta, -rc)' | ||
| type: boolean | ||
| default: true |
There was a problem hiding this comment.
Defaulting enable_prerelease_check to true is a caller-breaking rollout.
This reusable workflow now hard-fails PRs for existing consumers that do not know about the new input yet. "Can be disabled" does not help callers already pinned to a shared ref, because they would have to change their workflow first. If this is meant to be non-breaking, ship it default-off initially or only behind a new version boundary.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-security-scan.yml around lines 92 - 95, The default for
the reusable workflow input enable_prerelease_check currently defaults to true
which will break existing callers; change its default to false (or gate it
behind a new major/minor version boundary) so the prerelease blocking is opt-in
for existing consumers, updating the input declaration for
enable_prerelease_check accordingly to avoid hard-failing PRs for callers that
don’t supply the new input.
| # ----------------- Pre-release Version Gate ----------------- | ||
| - name: Pre-release Version Check | ||
| id: prerelease-check | ||
| if: always() && inputs.enable_prerelease_check | ||
| uses: LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease | ||
| with: | ||
| scan-ref: ${{ matrix.working_dir }} | ||
| app-name: ${{ env.APP_NAME }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Read the pr-security-scan.yml file to check the refs at the mentioned lines
cat -n .github/workflows/pr-security-scan.yml | sed -n '200,290p'Repository: LerianStudio/github-actions-shared-workflows
Length of output: 5201
🏁 Script executed:
# Search for all feature-branch refs in the file
grep -n "feat/pr-security-scan-codeql-prerelease" .github/workflows/pr-security-scan.yml
# Check what branches exist and what the default branch is
git branch -a | head -20Repository: LerianStudio/github-actions-shared-workflows
Length of output: 849
🏁 Script executed:
# Check for any README or docs about branch/ref strategy
find . -maxdepth 2 -name "*.md" -type f | head -10
# Look for other uses of stable refs in workflows to see the pattern
grep -r "uses:.*github-actions-shared-workflows.*@" .github/workflows/ | grep -v "feat/" | head -5Repository: LerianStudio/github-actions-shared-workflows
Length of output: 976
🏁 Script executed:
# Check the default branch configuration and what the review comment learnings say
cat README.md | head -50
# Check for version tags to understand the tagging strategy
git tag -l | tail -10Repository: LerianStudio/github-actions-shared-workflows
Length of output: 1600
🏁 Script executed:
# Check what version tags are used for other composites in the same workflow
grep -n "uses:.*github-actions-shared-workflows.*@" .github/workflows/pr-security-scan.yml | head -15Repository: LerianStudio/github-actions-shared-workflows
Length of output: 1338
🏁 Script executed:
# Check if the new composites exist and what version tags they might have
for composite in prerelease-check codeql-config codeql-init codeql-analyze codeql-reporter; do
if [ -f "src/security/$composite/action.yml" ]; then
echo "=== $composite exists ==="
else
echo "=== $composite MISSING ==="
fi
done
# Check what branches these new composites are on
git log --oneline -n 20 -- src/security/prerelease-check/ 2>/dev/null | head -5
git log --oneline -n 20 -- src/security/codeql-config/ 2>/dev/null | head -5Repository: LerianStudio/github-actions-shared-workflows
Length of output: 422
Switch feature-branch refs to semantic version tags before merge.
The five uses: entries reference @feat/pr-security-scan-codeql-prerelease. Once this branch is deleted or diverges, external callers of pr-security-scan.yml will fail to resolve these composites. Update to match the semantic versioning pattern used throughout the workflow (e.g., @v1.23.1 or the appropriate release version for these new composites):
Suggested ref update
- uses: LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease
+ uses: LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@v1.24.0
...
- uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-config@feat/pr-security-scan-codeql-prerelease
+ uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-config@v1.24.0
...
- uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-init@feat/pr-security-scan-codeql-prerelease
+ uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-init@v1.24.0
...
- uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-analyze@feat/pr-security-scan-codeql-prerelease
+ uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-analyze@v1.24.0
...
- uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-reporter@feat/pr-security-scan-codeql-prerelease
+ uses: LerianStudio/github-actions-shared-workflows/src/security/codeql-reporter@v1.24.0🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-security-scan.yml around lines 209 - 216, The workflow
references a feature branch tag in the composite actions (the `uses:` entries
like
LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease)
which will break once that branch is deleted; update each `uses:` to point to a
released semantic version tag (e.g., change
`@feat/pr-security-scan-codeql-prerelease` to the appropriate `@vX.Y.Z` release)
so the Pre-release Version Check (`id: prerelease-check`) and the other four
composite action references resolve reliably after merges.
| | Input | Description | Required | Default | | ||
| |---|---|:---:|---| | ||
| | `scan-ref` | Directory to scan for pre-release versions | No | `.` | | ||
| | `app-name` | Application name for reporting context | No | — | |
There was a problem hiding this comment.
Document the app-name default exactly.
src/security/prerelease-check/action.yml exports app-name with a default of '', but the table shows —. This README is the action contract, so the default column needs to match the metadata exactly.
As per coding guidelines, "Verify inputs table matches action.yml exactly (name, required, default)."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@src/security/prerelease-check/README.md` around lines 12 - 15, Update the
Inputs table in src/security/prerelease-check/README.md so the Default for
`app-name` exactly matches the exported default in action.yml (currently an
empty string ''), i.e., replace the `—` with `''`; ensure the input name
`app-name` and the Required and Default cells match action.yml verbatim to
satisfy the action contract verification.
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
♻️ Duplicate comments (2)
.github/workflows/pr-security-scan.yml (2)
92-95:⚠️ Potential issue | 🟠 MajorDefault the new pre-release gate off for existing callers.
This turns a new failing behavior on by default in a reusable workflow. Callers already pinned to this shared ref will start failing PRs without changing their own workflows, so this is a breaking rollout and should ship default-off or behind a version boundary.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 92 - 95, The new boolean input enable_prerelease_check currently defaults to true which will break existing callers; change its default to false (or gate behind a major-versioned reusable workflow) so existing workflows don't start failing; update the input definition for enable_prerelease_check to default: false and, if desired, add a note in the workflow description or README about the opt-in change and versioning plan.
213-213:⚠️ Potential issue | 🔴 CriticalDo not merge reusable-workflow refs that point at a feature branch.
These
uses:entries still resolve through@feat/pr-security-scan-codeql-prerelease. Once that branch is deleted or drifts, external callers of this reusable workflow will stop resolving the composites. Move every new internal action reference to the released ref before merge. Based on learnings: reusable workflows called from external repositories must reference them via an absolute external ref, and this repository’s workflow files use absoluteLerianStudio/github-actions-shared-workflows/src/...@<ref>references for externally consumed composites.Also applies to: 258-258, 265-265, 284-284, 291-291
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml at line 213, Change all reusable-workflow `uses:` references that point to the feature branch `@feat/pr-security-scan-codeql-prerelease` to a released immutable ref (a released tag or commit SHA) so external callers won't break when the branch is deleted; update each `uses: LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease` (and the other identical `uses:` entries) to `@<released-tag-or-sha>` (for example a vX.Y.Z tag or the commit SHA of the release) so the composite resolves reliably for external repositories.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 270-276: The step "Configure private Go modules access" currently
hardcodes GOPRIVATE=github.com/LerianStudio/* and makes the reusable workflow
org-specific; change this to accept a parameter (e.g., an input like
private_go_pattern or private_go_host) or derive the pattern from the GitHub
context (github.repository_owner / github.server_url) and use that value when
setting the git config and GOPRIVATE; update references to the git config line
and the GOPRIVATE assignment so they interpolate the input/context value instead
of the literal "LerianStudio". Ensure the new input has a sensible default and
is documented so callers can override it for other orgs/hosts.
- Around line 79-87: The workflow allows enable_codeql to be true with an empty
codeql_languages, which causes the codeql_scan job to silently skip; add an
early validation job (e.g., validate_codeql_inputs) that runs before codeql_scan
and uses an if condition checking inputs.enable_codeql is true and
inputs.codeql_languages is empty, and in that job run a single step that prints
a clear error (mentioning enable_codeql and codeql_languages) and exits non‑zero
to fail fast; update job dependencies so codeql_scan depends_on this validation
to guarantee callers get an explicit error rather than silent skipping.
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 92-95: The new boolean input enable_prerelease_check currently
defaults to true which will break existing callers; change its default to false
(or gate behind a major-versioned reusable workflow) so existing workflows don't
start failing; update the input definition for enable_prerelease_check to
default: false and, if desired, add a note in the workflow description or README
about the opt-in change and versioning plan.
- Line 213: Change all reusable-workflow `uses:` references that point to the
feature branch `@feat/pr-security-scan-codeql-prerelease` to a released
immutable ref (a released tag or commit SHA) so external callers won't break
when the branch is deleted; update each `uses:
LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease`
(and the other identical `uses:` entries) to `@<released-tag-or-sha>` (for
example a vX.Y.Z tag or the commit SHA of the release) so the composite resolves
reliably for external repositories.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5b9c11d5-2975-4c28-a825-1df86339de92
📒 Files selected for processing (1)
.github/workflows/pr-security-scan.yml
| enable_codeql: | ||
| description: 'Enable CodeQL static analysis. Requires codeql_languages to be set.' | ||
| type: boolean | ||
| default: false | ||
| codeql_languages: | ||
| description: 'Languages to analyze with CodeQL (comma-separated, e.g., "go", "javascript-typescript", "actions")' | ||
| type: string | ||
| required: false | ||
| default: '' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, locate the workflow file
git ls-files | grep -E "\.github/workflows/pr-security-scan\.yml"Repository: LerianStudio/github-actions-shared-workflows
Length of output: 126
🏁 Script executed:
# Read the workflow file to examine the codeql input definitions and codeql_scan job conditions
# Lines 79-87 show the inputs, lines 237-240 are mentioned as related
cat -n .github/workflows/pr-security-scan.yml | sed -n '1,300p'Repository: LerianStudio/github-actions-shared-workflows
Length of output: 15834
🏁 Script executed:
# Check the codeql_scan job to see its conditions and logic
ast-grep --pattern 'codeql_scan:'Repository: LerianStudio/github-actions-shared-workflows
Length of output: 70
Add validation to fail fast when CodeQL is enabled without languages.
The codeql_scan job condition (line 240) silently skips when enable_codeql: true but codeql_languages is empty, masking caller misconfiguration. The description correctly states the requirement, but there is no validation enforcing it. Add a validation job that runs when inputs.enable_codeql && inputs.codeql_languages == '' and exits with a clear error about the missing language configuration.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-security-scan.yml around lines 79 - 87, The workflow
allows enable_codeql to be true with an empty codeql_languages, which causes the
codeql_scan job to silently skip; add an early validation job (e.g.,
validate_codeql_inputs) that runs before codeql_scan and uses an if condition
checking inputs.enable_codeql is true and inputs.codeql_languages is empty, and
in that job run a single step that prints a clear error (mentioning
enable_codeql and codeql_languages) and exits non‑zero to fail fast; update job
dependencies so codeql_scan depends_on this validation to guarantee callers get
an explicit error rather than silent skipping.
| - name: Configure private Go modules access | ||
| if: steps.codeql-config.outputs.skip != 'true' | ||
| env: | ||
| TOKEN: ${{ secrets.MANAGE_TOKEN || secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/" | ||
| echo "GOPRIVATE=github.com/LerianStudio/*" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
Parameterize private Go module access instead of hardcoding LerianStudio.
GOPRIVATE=github.com/LerianStudio/* makes this shared workflow specific to one org/host. Any caller that needs private Go modules outside that scope will still fail CodeQL autobuild. Move the host/org pattern behind inputs, or derive it from repository context, before shipping this as a reusable workflow. As per coding guidelines: "Never hardcode tokens, org names, or internal URLs — always use inputs or secrets".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-security-scan.yml around lines 270 - 276, The step
"Configure private Go modules access" currently hardcodes
GOPRIVATE=github.com/LerianStudio/* and makes the reusable workflow
org-specific; change this to accept a parameter (e.g., an input like
private_go_pattern or private_go_host) or derive the pattern from the GitHub
context (github.repository_owner / github.server_url) and use that value when
setting the git config and GOPRIVATE; update references to the git config line
and the GOPRIVATE assignment so they interpolate the input/context value instead
of the literal "LerianStudio". Ensure the new input has a sensible default and
is documented so callers can override it for other orgs/hosts.
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 232-236: The workflow step "Gate - Fail on Pre-release Versions"
currently interpolates steps.prerelease-check.outputs.findings-count directly
into the shell command; map that output into an environment variable (e.g., set
env: PRERELEASE_FINDINGS: ${{ steps.prerelease-check.outputs.findings-count }})
and then reference and quote that env var in the run block (use
"$PRERELEASE_FINDINGS" in the echo and exit logic) to satisfy the code-injection
check and silence CodeQL warnings.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7e2b259b-c964-4721-95d6-0e441d249e14
📒 Files selected for processing (1)
.github/workflows/pr-security-scan.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/security/codeql-analyze/action.yml (1)
20-21:⚠️ Potential issue | 🟠 MajorPin
github/codeql-action/analyzeto a commit SHA, not@v4.Line 21 uses a mutable tag for a third-party action. Per repository policy, third-party actions must be pinned by commit SHA with a version comment for readability (e.g.,
uses: github/codeql-action/analyze@abc123def456... # v4). Tags can be force-pushed by upstream maintainers, weakening supply-chain guarantees.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/codeql-analyze/action.yml` around lines 20 - 21, Replace the mutable tag in the GitHub Actions step that currently reads "uses: github/codeql-action/analyze@v4" with a pinned commit SHA (e.g., "uses: github/codeql-action/analyze@<full-commit-sha>") and add a trailing comment indicating the human-readable version (e.g., "# v4") for readability; update the "Perform CodeQL Analysis" step to use that SHA to satisfy the repository policy while preserving the version intent.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/codeql-analyze/action.yml`:
- Around line 12-15: The new action input 'upload' in action.yml defaults to
'false', which changes behavior for callers that omit it; update the default to
'true' (or ensure callers explicitly pass 'upload: \"true\"') so SARIF upload
remains enabled by default. Modify the inputs block for the 'upload' input in
action.yml to set default: 'true' (or update any workflows invoking the action
to pass upload: 'true' where necessary) and keep the value forwarded as before.
---
Outside diff comments:
In `@src/security/codeql-analyze/action.yml`:
- Around line 20-21: Replace the mutable tag in the GitHub Actions step that
currently reads "uses: github/codeql-action/analyze@v4" with a pinned commit SHA
(e.g., "uses: github/codeql-action/analyze@<full-commit-sha>") and add a
trailing comment indicating the human-readable version (e.g., "# v4") for
readability; update the "Perform CodeQL Analysis" step to use that SHA to
satisfy the repository policy while preserving the version intent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4be93de3-e8cd-4b62-9f57-9bee3c55f109
📒 Files selected for processing (1)
src/security/codeql-analyze/action.yml
| upload: | ||
| description: 'Upload SARIF to GitHub Security tab (requires Code Security / GHAS enabled on the repo)' | ||
| required: false | ||
| default: 'false' |
There was a problem hiding this comment.
upload default introduces an unintended behavior change for existing callers.
Line 15 defaults upload to 'false', and Line 25 always forwards it. Callers that omit this new input now disable SARIF upload by default (including the current workflow invocations shown in .github/workflows/self-pr-validation.yml Line 206-Line 210 and .github/workflows/pr-security-scan.yml Line 283-Line 287). Set the default to 'true' or pass upload: 'true' explicitly at call sites that must publish to Security tab.
Suggested fix
upload:
description: 'Upload SARIF to GitHub Security tab (requires Code Security / GHAS enabled on the repo)'
required: false
- default: 'false'
+ default: 'true'Also applies to: 25-25
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@src/security/codeql-analyze/action.yml` around lines 12 - 15, The new action
input 'upload' in action.yml defaults to 'false', which changes behavior for
callers that omit it; update the default to 'true' (or ensure callers explicitly
pass 'upload: \"true\"') so SARIF upload remains enabled by default. Modify the
inputs block for the 'upload' input in action.yml to set default: 'true' (or
update any workflows invoking the action to pass upload: 'true' where necessary)
and keep the value forwarded as before.
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
docs/pr-security-scan-workflow.md (2)
184-200:⚠️ Potential issue | 🟡 MinorInputs table is out of sync with the workflow.
The following workflow inputs are missing from the documentation table:
shared_pathsapp_name_prefixapp_name_overridesnormalize_to_filterdocker_build_argsbuild_context_from_working_dirIf these are intentionally omitted as "advanced" inputs, add a note indicating additional inputs exist. Otherwise, document them for completeness.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 184 - 200, The Inputs table is missing several workflow inputs; update the docs to either document these inputs or clearly note that additional advanced inputs exist. Specifically add entries for `shared_paths`, `app_name_prefix`, `app_name_overrides`, `normalize_to_filter`, `docker_build_args`, and `build_context_from_working_dir` (each with Type, Default, and Description), or append a short note under the table stating that advanced inputs such as those named above exist and where to find full input reference; ensure the documented names exactly match the workflow input keys (`shared_paths`, `app_name_prefix`, `app_name_overrides`, `normalize_to_filter`, `docker_build_args`, `build_context_from_working_dir`).
217-225:⚠️ Potential issue | 🟡 MinorPermissions section missing
actions: read.The workflow now requires
actions: readfor CodeQL status reporting. Update the documented permissions block to match.📝 Add missing permission
permissions: + actions: read # Required for CodeQL status reporting id-token: write # Required for OIDC authentication contents: read # Required to checkout the repository pull-requests: write # Allows commenting on PRs security-events: write # Required for security scanning🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 217 - 225, Update the "Required Permissions" YAML block to include the missing "actions: read" permission so CodeQL status reporting can work; locate the permissions snippet under the "Required Permissions" heading (the YAML block containing id-token, contents, pull-requests, security-events) and add a line "actions: read" alongside the other entries, keeping the same indentation and comment style..github/workflows/pr-security-scan.yml (1)
10-99:⚠️ Potential issue | 🟠 MajorMissing required
dry_runinput.Per coding guidelines, every reusable workflow must include a
dry_runinput (type: boolean,default: false). When true, it should enable verbose output and tool-native preview flags. This workflow is missing this required input.🛠️ Add dry_run input
build_context_from_working_dir: description: 'Use the component working_dir as Docker build context instead of repo root. Useful for independent modules (e.g., tools with their own go.mod).' type: boolean default: false + dry_run: + description: 'Enable dry-run mode with verbose output. Does not fail on findings.' + type: boolean + default: false enable_codeql:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 10 - 99, The workflow is missing the required dry_run input under on.workflow_call.inputs; add a new input named dry_run with type: boolean and default: false, and update any steps that run scanners or builds (e.g., CodeQL, Docker scans referenced by enable_codeql, enable_docker_scan) to honor this flag by enabling verbose output and tool-native "preview"/"dry-run" options when dry_run is true.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 10-99: The workflow is missing the required dry_run input under
on.workflow_call.inputs; add a new input named dry_run with type: boolean and
default: false, and update any steps that run scanners or builds (e.g., CodeQL,
Docker scans referenced by enable_codeql, enable_docker_scan) to honor this flag
by enabling verbose output and tool-native "preview"/"dry-run" options when
dry_run is true.
In `@docs/pr-security-scan-workflow.md`:
- Around line 184-200: The Inputs table is missing several workflow inputs;
update the docs to either document these inputs or clearly note that additional
advanced inputs exist. Specifically add entries for `shared_paths`,
`app_name_prefix`, `app_name_overrides`, `normalize_to_filter`,
`docker_build_args`, and `build_context_from_working_dir` (each with Type,
Default, and Description), or append a short note under the table stating that
advanced inputs such as those named above exist and where to find full input
reference; ensure the documented names exactly match the workflow input keys
(`shared_paths`, `app_name_prefix`, `app_name_overrides`, `normalize_to_filter`,
`docker_build_args`, `build_context_from_working_dir`).
- Around line 217-225: Update the "Required Permissions" YAML block to include
the missing "actions: read" permission so CodeQL status reporting can work;
locate the permissions snippet under the "Required Permissions" heading (the
YAML block containing id-token, contents, pull-requests, security-events) and
add a line "actions: read" alongside the other entries, keeping the same
indentation and comment style.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 77be3519-e970-4f9c-a444-f3fc782ba607
📒 Files selected for processing (2)
.github/workflows/pr-security-scan.ymldocs/pr-security-scan-workflow.md
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
♻️ Duplicate comments (5)
.github/workflows/pr-security-scan.yml (4)
96-103:⚠️ Potential issue | 🟠 MajorDefault-on prerelease gating is a breaking rollout.
Existing callers pick up this behavior without changing their workflow. Any repo with
-beta/-rcpins will start warning ondevelopand hard-failing onmain/release-candidateas soon as it consumes this ref. Ship this default-off, or only enable it behind a new version boundary.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 96 - 103, The workflow sets enable_prerelease_check to true by default, which changes behavior for existing users; change its default to false (or remove the default so callers must opt-in) and keep prerelease_block_branches unchanged; update the enable_prerelease_check key in the workflow so existing repos do not get blocking prerelease gating unless they explicitly opt in.
79-87:⚠️ Potential issue | 🟠 MajorFail fast when CodeQL is enabled without languages.
enable_codeql: truewith an emptycodeql_languagesjust skipscodeql_scanbecause of the jobif:. That hides caller misconfiguration. Add an explicit validation step/job that errors when CodeQL is enabled and the language list is blank.Also applies to: 267-267
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 79 - 87, Add a validation step/job that fails fast when enable_codeql is true but codeql_languages is empty: detect the combination of the inputs (enable_codeql and codeql_languages) before the codeql_scan job runs (or as the first step of codeql_scan) and exit with a clear error message if codeql_languages is blank; reference the input names enable_codeql and codeql_languages and the affected job codeql_scan so the check runs only when enable_codeql is true and prevents silently skipping the scan when languages are not provided.
222-222:⚠️ Potential issue | 🔴 CriticalReplace the feature-branch refs before merge.
A reusable workflow consumed by external repositories cannot depend on
@feat/pr-security-scan-codeql-prerelease; those refs stop resolving once the branch is deleted or drifts. Pin these composites to a release tag, or use@developonly while testing.As per coding guidelines, "
LerianStudio/*actions must use release tags (@v1.2.3) or branches (@developfor testing)`."Also applies to: 285-319
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml at line 222, The workflow is referencing a feature branch ref (uses: LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease), which will break once that branch is removed; update all such "uses: LerianStudio/github-actions-shared-workflows/..." entries (including the similar blocks at lines 285-319) to pin to a stable release tag like `@vX.Y.Z`, or temporarily to `@develop` for testing, ensuring the ref is not a feature branch so the reusable workflow resolves after merge.
297-303:⚠️ Potential issue | 🟠 Major
GOPRIVATEis hardcoded to LerianStudio.This makes the reusable workflow fail for callers whose private Go modules live under a different owner or host. Derive the pattern from context or expose it as an input before shipping this as shared workflow logic.
As per coding guidelines, "Never hardcode tokens, org names, or internal URLs — always use inputs or secrets."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 297 - 303, The workflow hardcodes GOPRIVATE to "github.com/LerianStudio/*"; change it to derive or accept the pattern as an input and use that instead: add an input (e.g., input name goprivate_pattern) with a sensible default like using github.repository_owner (or construct "${{ github.repository_owner }}/*"), then replace the hardcoded GOPRIVATE write with that input value; ensure the TOKEN env use remains unchanged and the conditional if: steps.codeql-config.outputs.skip != 'true' still guards the run.docs/pr-security-scan-workflow.md (1)
120-142:⚠️ Potential issue | 🟡 MinorCLI/non-Docker docs still describe the old behavior.
With
enable_prerelease_checkdefaulting totrue, this mode also runs the prerelease scan. The bullet list here omits that and still mentions Docker Scout, which now contradicts the later note in Line 250.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 120 - 142, Update the docs block describing the "disable Docker scanning" example to reflect current behavior: mention that with enable_prerelease_check defaulting to true the prerelease scan will still run, and remove or clarify the outdated Docker Scout statement so it matches the later note referenced (Line 250). Specifically edit the PR Security Scan example text to state that setting enable_docker_scan: false skips Docker build/vuln scanning but does not disable the prerelease check (enable_prerelease_check remains true by default) and ensure the bullet list no longer incorrectly implies Docker Scout behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/pr-security-scan-workflow.md`:
- Around line 167-180: Update the prose describing the prerelease gate to
reflect that it is branch-aware: state that when enable_prerelease_check is true
the workflow scans go.mod, package.json, and Dockerfile for prerelease suffixes
(e.g., -beta, -rc) and emits a warning on non-blocking branches, and only fails
the PR (exits non‑zero) for branches listed in prerelease_block_branches; adjust
the wording around the “With Pre-release Version Gate” section and the
corresponding lines mentioned so they reference the enable_prerelease_check
input and the prerelease_block_branches behavior instead of saying it
unconditionally fails the PR.
- Around line 163-165: Update the documentation text that currently states
"Results are posted as a separate PR comment and uploaded to the GitHub Security
tab" to clarify that SARIF upload to the Security tab is opt-in and only happens
when the configuration flag codeql_upload_sarif: true is set; change the wording
around the CodeQL section (references to "CodeQL analysis" and the upload
behavior) to explicitly note the default is not to upload SARIF and callers must
enable codeql_upload_sarif to have results uploaded, and apply the same
correction at the other occurrences mentioned.
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 96-103: The workflow sets enable_prerelease_check to true by
default, which changes behavior for existing users; change its default to false
(or remove the default so callers must opt-in) and keep
prerelease_block_branches unchanged; update the enable_prerelease_check key in
the workflow so existing repos do not get blocking prerelease gating unless they
explicitly opt in.
- Around line 79-87: Add a validation step/job that fails fast when
enable_codeql is true but codeql_languages is empty: detect the combination of
the inputs (enable_codeql and codeql_languages) before the codeql_scan job runs
(or as the first step of codeql_scan) and exit with a clear error message if
codeql_languages is blank; reference the input names enable_codeql and
codeql_languages and the affected job codeql_scan so the check runs only when
enable_codeql is true and prevents silently skipping the scan when languages are
not provided.
- Line 222: The workflow is referencing a feature branch ref (uses:
LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease),
which will break once that branch is removed; update all such "uses:
LerianStudio/github-actions-shared-workflows/..." entries (including the similar
blocks at lines 285-319) to pin to a stable release tag like `@vX.Y.Z`, or
temporarily to `@develop` for testing, ensuring the ref is not a feature branch so
the reusable workflow resolves after merge.
- Around line 297-303: The workflow hardcodes GOPRIVATE to
"github.com/LerianStudio/*"; change it to derive or accept the pattern as an
input and use that instead: add an input (e.g., input name goprivate_pattern)
with a sensible default like using github.repository_owner (or construct "${{
github.repository_owner }}/*"), then replace the hardcoded GOPRIVATE write with
that input value; ensure the TOKEN env use remains unchanged and the conditional
if: steps.codeql-config.outputs.skip != 'true' still guards the run.
In `@docs/pr-security-scan-workflow.md`:
- Around line 120-142: Update the docs block describing the "disable Docker
scanning" example to reflect current behavior: mention that with
enable_prerelease_check defaulting to true the prerelease scan will still run,
and remove or clarify the outdated Docker Scout statement so it matches the
later note referenced (Line 250). Specifically edit the PR Security Scan example
text to state that setting enable_docker_scan: false skips Docker build/vuln
scanning but does not disable the prerelease check (enable_prerelease_check
remains true by default) and ensure the bullet list no longer incorrectly
implies Docker Scout behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 28ceb1fc-df29-4c55-9cbd-58a47af7fe67
📒 Files selected for processing (2)
.github/workflows/pr-security-scan.ymldocs/pr-security-scan-workflow.md
| This will run all standard scans plus CodeQL analysis scoped to changed paths. Results are posted as a separate PR comment and uploaded to the GitHub Security tab. | ||
|
|
||
| **Requirements:** | ||
| - Docker Hub account with Scout access (Free, Team, or Business) | ||
| - `DOCKER_USERNAME` and `DOCKER_PASSWORD` secrets configured | ||
| - `enable_docker_scan` must also be `true` (default) — Scout reuses the same image built for Trivy scanning | ||
| **Supported languages:** `go`, `javascript-typescript`, `actions`, `python`, `java-kotlin`, `csharp`, `ruby`, `swift`, `cpp` |
There was a problem hiding this comment.
Security-tab upload is documented as unconditional, but it is opt-in.
The workflow only uploads CodeQL SARIF when codeql_upload_sarif: true is set. The current wording says results are uploaded to the GitHub Security tab whenever CodeQL is enabled, which will mislead callers using the default configuration.
Also applies to: 199-199, 547-547
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/pr-security-scan-workflow.md` around lines 163 - 165, Update the
documentation text that currently states "Results are posted as a separate PR
comment and uploaded to the GitHub Security tab" to clarify that SARIF upload to
the Security tab is opt-in and only happens when the configuration flag
codeql_upload_sarif: true is set; change the wording around the CodeQL section
(references to "CodeQL analysis" and the upload behavior) to explicitly note the
default is not to upload SARIF and callers must enable codeql_upload_sarif to
have results uploaded, and apply the same correction at the other occurrences
mentioned.
| ### With Pre-release Version Gate | ||
|
|
||
| Pre-release checks are enabled by default. To disable: | ||
|
|
||
| ```yaml | ||
| jobs: | ||
| security-scan: | ||
| uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-security-scan.yml@v1.0.0 | ||
| with: | ||
| enable_prerelease_check: false | ||
| secrets: inherit | ||
| ``` | ||
|
|
||
| When enabled, the workflow scans `go.mod`, `package.json`, and `Dockerfile` for version pins containing `-beta` or `-rc` suffixes and fails the PR if any are found. |
There was a problem hiding this comment.
The prerelease gate is branch-aware, not unconditional.
This section currently says the PR fails if any prerelease pins are found, but the workflow only exits non-zero on branches listed in prerelease_block_branches; other branches emit a warning. Update the prose to match the actual gate semantics.
Also applies to: 307-311
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/pr-security-scan-workflow.md` around lines 167 - 180, Update the prose
describing the prerelease gate to reflect that it is branch-aware: state that
when enable_prerelease_check is true the workflow scans go.mod, package.json,
and Dockerfile for prerelease suffixes (e.g., -beta, -rc) and emits a warning on
non-blocking branches, and only fails the PR (exits non‑zero) for branches
listed in prerelease_block_branches; adjust the wording around the “With
Pre-release Version Gate” section and the corresponding lines mentioned so they
reference the enable_prerelease_check input and the prerelease_block_branches
behavior instead of saying it unconditionally fails the PR.
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (2)
src/security/prerelease-check/README.md (2)
15-15:⚠️ Potential issue | 🟡 MinorFix the
app-namedefault to match action metadata.Line 15 documents
—, but the action exportsapp-namewith default''. Keep the inputs contract exact.As per coding guidelines, "Verify inputs table matches
action.ymlexactly (name, required, default)."🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/README.md` at line 15, The README inputs table documents `app-name` default as `—` but the action metadata exports `app-name` with default `''`; update the inputs table entry for `app-name` to exactly match action metadata (set the Default column to `''`) so the inputs contract matches the `app-name` input defined in the action metadata.
32-32:⚠️ Potential issue | 🟡 MinorDocument all Dockerfile filename patterns actually scanned.
Line 32 lists only
Dockerfile, while the action scansDockerfile,*.dockerfile, andDockerfile.*. This under-documents gate coverage.As per coding guidelines, "
DockerfilepathsDockerfile,*.dockerfile, andDockerfile.*underscan-ref."🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/README.md` at line 32, The README entry currently lists only "Dockerfile" but the scanner actually checks three filename patterns; update the documentation to enumerate all patterns scanned under the scan-ref: "Dockerfile", "*.dockerfile", and "Dockerfile.*" so the table row (the value currently shown as `Dockerfile`) accurately reflects the gate coverage referenced by scan-ref.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/prerelease-check/action.yml`:
- Around line 90-96: The loop that emits GitHub Actions annotations uses
unescaped values and the existing escape_cmd only handled message escaping;
update or add an escape function (e.g., escape_cmd or escape_property) to
implement the full mappings: for message values replace % -> %25, \n -> %0A, \r
-> %0D; for property values (used for file and line) replace % -> %25, \n ->
%0A, \r -> %0D, : -> %3A, , -> %2C. Apply the message escaping to CONTENT when
building the annotation message and apply the property escaping to FILE and LINE
before interpolating into the ::warning file=...,line=...::... command so both
properties and the message are safely encoded.
---
Duplicate comments:
In `@src/security/prerelease-check/README.md`:
- Line 15: The README inputs table documents `app-name` default as `—` but the
action metadata exports `app-name` with default `''`; update the inputs table
entry for `app-name` to exactly match action metadata (set the Default column to
`''`) so the inputs contract matches the `app-name` input defined in the action
metadata.
- Line 32: The README entry currently lists only "Dockerfile" but the scanner
actually checks three filename patterns; update the documentation to enumerate
all patterns scanned under the scan-ref: "Dockerfile", "*.dockerfile", and
"Dockerfile.*" so the table row (the value currently shown as `Dockerfile`)
accurately reflects the gate coverage referenced by scan-ref.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: f00a24ab-b386-479c-a17f-43de088b27c1
📒 Files selected for processing (2)
src/security/prerelease-check/README.mdsrc/security/prerelease-check/action.yml
| for f in "${FINDINGS[@]}"; do | ||
| FILE="${f%%|*}" | ||
| REST="${f#*|}" | ||
| LINE="${REST%%:*}" | ||
| CONTENT="${REST#*:}" | ||
| echo "::warning file=${SCAN_DIR}/${FILE},line=${LINE}::Unstable version pin: $(echo "$CONTENT" | sed 's/^[[:space:]]*//')" | ||
| done |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In GitHub Actions workflow commands (::warning, ::error), what escaping is required for untrusted message/property values, and what are the exact escape sequences for %, carriage return, and newline?
💡 Result:
When you build workflow commands yourself (e.g., echo "::warning ...::${msg}") and msg or any property value is untrusted, you must percent-escape characters that would otherwise be interpreted by the runner as command syntax.
Message (::{message}) escaping (escape “data”): replace, in this order % → CR → LF:
%→%25\r(carriage return) →%0D\n(newline) →%0A[1]
Property value (key=value in ::warning key=value,...::msg) escaping (escape “property”): do the same as message, plus escape separators used in the properties list:
%→%25\r→%0D\n→%0A:→%3A,→%2C[1][2]
Exact sequences requested: % ⇒ %25, carriage return ⇒ %0D, newline ⇒ %0A. [1]
Sources: [1] actions/toolkit @actions/core implementation (escapeData / escapeProperty), [2] GitHub Docs workflow command format.
Escape annotation payloads before emitting workflow commands.
Line 95 writes file content directly into a ::warning command. Unescaped %, carriage return, or newline in scanned content can corrupt command parsing and allow annotation/log injection.
The proposed fix is incomplete. In ::warning file=VALUE,line=VALUE::message format:
- Message values need escaping:
%→%25,\n→%0A,\r→%0D - Property values need escaping:
%→%25,\n→%0A,\r→%0D,:→%3A,,→%2C
The suggested escape_cmd function only handles the message escaping but omits : and , escaping for the file property, and the line property is not escaped at all. Update the fix to escape both file and line properties with the full property-value escape set.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@src/security/prerelease-check/action.yml` around lines 90 - 96, The loop that
emits GitHub Actions annotations uses unescaped values and the existing
escape_cmd only handled message escaping; update or add an escape function
(e.g., escape_cmd or escape_property) to implement the full mappings: for
message values replace % -> %25, \n -> %0A, \r -> %0D; for property values (used
for file and line) replace % -> %25, \n -> %0A, \r -> %0D, : -> %3A, , -> %2C.
Apply the message escaping to CONTENT when building the annotation message and
apply the property escaping to FILE and LINE before interpolating into the
::warning file=...,line=...::... command so both properties and the message are
safely encoded.
3 participants
GitHub Actions Shared Workflows
Description
Adds two new security capabilities to the
pr-security-scanreusable workflow:enable_codeql+codeql_languagesinputs. Runs as a separatecodeql_scanjob in parallel with the existingsecurity_scanjob. Scopes analysis to changed paths usingcodeql-config, then runs init → autobuild → analyze → reporter. Results are posted as a PR comment and uploaded to the GitHub Security tab.enable_prerelease_check: true). Newprerelease-checkcomposite scansgo.mod,package.json, andDockerfilefor version pins containing-betaor-rcsuffixes. Findings are reported via GitHub annotations and step summary, and the workflow fails if any are found.Additional changes:
@v1.18.0to@v1.23.1notifyjob to aggregate CodeQL scan resultsdocs/pr-security-scan-workflow.mdwith new inputs, job descriptions, and usage examplesType of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None. CodeQL is opt-in (
enable_codeql: falseby default). Pre-release check is enabled by default but can be disabled viaenable_prerelease_check: false.Testing
@developor the beta tagCaller repo / workflow run: Pending — composite refs point to
@feat/pr-security-scan-codeql-prereleasefor testing from caller repos.Related Issues
Summary by CodeRabbit
New Features
Updates
Documentation