Automatic Security Review for new Resources #147
hesreallyhim
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
One issue I'm facing regarding submissions is ensuring that the list is free from malware or other libraries/configs that present a high risk to the users... I try to test out submissions in a container, or just on my local machine, and I sometimes ask Claude to give me a security review, especially for shell scripts, e.g.
I'd like to make this a more normalized process. One problem I'm struggling with is if I run a review on some repo, and it tells me a bunch of issues, but maybe it's still worth considering the submission, I would like to share the security review with the author, but GitHub doesn't offer any mailbox/chat functionality AFAIK and most repos don't have a Security reporting configuration set up.
So what I'm thinking is that as part of the resource validation process, I will have Claude (or maybe CodeQL) do a security review of the repo, and then post the results in the Issue comments. This may seem like a very public way to share the report - if there is a better alternative please let me know - but I thought if I shared the prompt that I would give to Claude then users could run it themselves before submitting their resource, and then there wouldn't be any surprises when the resource is submitted. So, something like:
"I maintain a repo where I share resources from GitHub for use with Claude Code. Users understand there is some inherent risk involved in some of these tools, so this does not have to be a 100% strict security review. However, I would like to be notified if you see any possible exploits, malware, or threat vectors that may be present in the codebase. Please do a thorough review of the following repository and evaluate it with respect to any particularly salient security threats - bear in mind that some of these projects may be in a "beta" stage - if you recognize a security issue, but the author has made clear notice of the risk, then that is acceptable."
Any thoughts? Not super-detailed on the prompt itself right now, I just made that ad hoc and would probably optimize it, but - do you think people would be comfortable with this kind of public security review? Any better ideas about how to do security vetting on resources and communicate with the author in a private channel if they don't have security reporting set up for their repo?
🙏
Beta Was this translation helpful? Give feedback.
All reactions