Skip to content

Iand/recipe scanner updates #4584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iandouglas merged 2 commits into from
Sep 9, 2025
Merged

Iand/recipe scanner updates #4584

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cf429b6
patching recipe scanning workflows for permissions changes
iandouglas Sep 9, 2025
ee08dd8
trying one more PR workflow change
iandouglas Sep 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .github/workflows/recipe-security-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Recipe Security Scan

on:
pull_request:
pull_request_target:
Copy link

Copilot AI Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using pull_request_target instead of pull_request poses a security risk, especially in a security scanning workflow that has access to secrets (OPENAI_API_KEY, TRAINING_DATA_*). This trigger runs with repository write permissions and access to secrets even for external contributors, potentially allowing malicious actors to exfiltrate secrets or modify the repository.

Suggested change
pull_request_target:
pull_request:

Copilot uses AI. Check for mistakes.
types: [opened, synchronize, reopened]
paths:
- 'documentation/src/pages/recipes/data/recipes/**'
Expand All @@ -13,6 +13,7 @@ concurrency:
permissions:
contents: read
pull-requests: write
issues: write
statuses: write

jobs:
Expand Down Expand Up @@ -140,6 +141,12 @@ jobs:
# Set permissions for Docker container (scanner user is UID 1000)
sudo chmod -R 777 "$OUT" || true

# Verify secrets are available (without logging details)
if [ -z "$OPENAI_API_KEY" ] || [ -z "$TRAINING_DATA_LOW" ] || [ -z "$TRAINING_DATA_MEDIUM" ] || [ -z "$TRAINING_DATA_EXTREME" ]; then
echo "❌ One or more required secrets are missing or inaccessible"
exit 1
fi

# Initialize overall scan results
echo '{"scanned_recipes": [], "overall_status": "UNKNOWN", "failed_scans": 0}' > "$OUT/pr_scan_summary.json"

Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/validate-recipe-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
name: Validate Recipe PR

on:
pull_request:
pull_request_target:
Copy link

Copilot AI Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using pull_request_target instead of pull_request can be a security risk as it runs with write permissions in the context of the target repository. This allows potentially malicious code from external contributors to access secrets and modify the repository. Consider using pull_request with explicit checkout of the PR branch if write permissions are needed, or ensure proper input validation and sandboxing.

Suggested change
pull_request_target:
pull_request:

Copilot uses AI. Check for mistakes.
types: [opened, synchronize, reopened]
paths:
- 'documentation/src/pages/recipes/data/recipes/**'

permissions:
contents: read
pull-requests: write
issues: write

jobs:
validate-recipe:
Expand Down Expand Up @@ -158,7 +159,7 @@ jobs:

# Check if this is a new file or an update to existing file
# Get list of changed files in this PR compared to base branch
CHANGED_FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
CHANGED_FILES=$(git diff --name-only --diff-filter=AM origin/${{ github.event.pull_request.base.ref }}...HEAD | grep "^$RECIPE_FILE$" || true)
EXISTING_FILES=$(find documentation/src/pages/recipes/data/recipes/ -name "$FILENAME.yaml" -o -name "$FILENAME.yml" | grep -v "^$RECIPE_FILE$" || true)

if [ -n "$EXISTING_FILES" ] && [ -z "$CHANGED_FILES" ]; then
Expand Down
Loading