Integrate typos tool into CI

[SolariSystems]

Superseded by PR #7011 — this PR is closed.

[SolariSystems]

Hi! Following up on this PR. Let me know if there are any changes needed or if anything should be adjusted. Happy to iterate on feedback. Thanks!

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[neo-by-projectdiscovery-dev]

Neo Security Audit

High: 2 · Medium: 7

Highlights

• All GitHub Actions remain properly pinned to commit SHAs (actions/checkout, projectdiscovery/actions/*)
• Workflow triggers are limited to push events on dev branch and manual workflow_dispatch

High (2)

• Unpinned GitHub Action: projectdiscovery/actions/setup/git — .github/workflows/memogen.yaml:0
  Action projectdiscovery/actions/setup/git@v1 uses mutable tag instead of commit SHA
• Unpinned GitHub Action: projectdiscovery/actions/commit — .github/workflows/memogen.yaml:0
  Action projectdiscovery/actions/commit@v1 uses mutable tag instead of commit SHA

Medium (7)

• Unpinned GitHub Actions allow supply chain attacks — .github/workflows/typos.yml:0
  GitHub Actions are pinned to mutable tags (@v2) instead of immutable commit SHAs. An attacker who compromises the actions/checkout or actions/setup-python repositories could inject malicious code that would execute in this workflow.
• Unpinned GitHub Actions in typos.toml workflow — .github/workflows/typos.toml:0
  GitHub Actions are pinned to mutable tags (@v2) instead of immutable commit SHAs. Same vulnerability as typos.yml - allows supply chain attacks if upstream actions are compromised.
• Unpinned custom GitHub Actions in memogen workflow — .github/workflows/memogen.yaml:0
  Custom projectdiscovery actions are pinned to mutable tags (@v1, @v6) instead of commit SHAs. While these are internal actions, they still present supply chain risk if the actions repository is compromised.
• Suboptimal typos installation method in CI workflow — .github/workflows/typos.yml:0
  The workflow installs typos via pip (Python package manager) instead of using the official GitHub Action or pre-built binaries. While the PyPI package is legitimate, this approach is less secure and less efficient than the recommended methods.
• Unpinned pip package version allows supply chain drift — .github/workflows/typos.yml:0
  The command 'pip install typos' installs the latest version without pinning to a specific version or hash. This allows automatic updates that could introduce breaking changes or malicious code if the package is compromised.
• Suboptimal typos installation method in CI workflow — .github/workflows/typos.yml:1
  The workflow installs typos via pip (Python package manager) instead of using the official GitHub Action or pre-built binaries. While the PyPI package is legitimate, this approach is less secure and less efficient than the recommended methods.
• Unpinned pip package version allows supply chain drift — .github/workflows/typos.yml:1
  The command 'pip install typos' installs the latest version without pinning to a specific version or hash. This allows automatic updates that could introduce breaking changes or malicious code if the package is compromised.

Attack Examples

Unpinned GitHub Actions allow supply chain attacks (.github/workflows/typos.yml:0):

Attacker compromises actions/checkout repo and publishes malicious v2 tag that exfiltrates GITHUB_TOKEN and repository secrets

Unpinned GitHub Action: projectdiscovery/actions/setup/git (.github/workflows/memogen.yaml:0):

Attacker updates @v1 tag → malicious code runs in workflow → exfiltrates secrets from environment → pushes backdoor via line 29

Unpinned GitHub Action: projectdiscovery/actions/commit (.github/workflows/memogen.yaml:0):

Attacker updates @v1 tag → malicious commit action injects backdoor into codebase → automated push (line 29) deploys malicious code

Suggested Fixes

Unpinned GitHub Actions allow supply chain attacks (.github/workflows/typos.yml:0):

Pin actions to specific commit SHAs: uses: actions/checkout@<commit-sha> and uses: actions/setup-python@<commit-sha>. Use Dependabot to keep them updated.

Unpinned GitHub Actions in typos.toml workflow (.github/workflows/typos.toml:0):

Pin actions to specific commit SHAs: uses: actions/checkout@<commit-sha> and uses: actions/setup-python@<commit-sha>

Unpinned custom GitHub Actions in memogen workflow (.github/workflows/memogen.yaml:0):

Pin all actions to commit SHAs, including internal projectdiscovery/actions. Example: uses: actions/checkout@a12b3c4d5e6f... and uses: projectdiscovery/actions/setup/go@abc123...

Suboptimal typos installation method in CI workflow (.github/workflows/typos.yml:0):

Replace the Python setup and pip install steps with the official typos GitHub Action:

Unpinned pip package version allows supply chain drift (.github/workflows/typos.yml:0):

If continuing with pip installation, pin to a specific version and verify with hash:

Suboptimal typos installation method in CI workflow (.github/workflows/typos.yml:1):

Replace the Python setup and pip install steps with the official typos GitHub Action:

Unpinned pip package version allows supply chain drift (.github/workflows/typos.yml:1):

If continuing with pip installation, pin to a specific version and verify with hash:

Unpinned GitHub Action: projectdiscovery/actions/setup/git (.github/workflows/memogen.yaml:0):

Pin to commit SHA: uses: projectdiscovery/actions/setup/git@<commit-sha> # v1

Unpinned GitHub Action: projectdiscovery/actions/commit (.github/workflows/memogen.yaml:0):

Pin to commit SHA: uses: projectdiscovery/actions/commit@<commit-sha> # v1

AI Agent Fix Prompts

Suboptimal typos installation method in CI workflow (`.github/workflows/typos.yml:0`):

Replace pip install typos with official crate-ci/typos GitHub Action

Unpinned pip package version allows supply chain drift (`.github/workflows/typos.yml:0`):

Pin typos package version with hash verification or switch to official GitHub Action

Suboptimal typos installation method in CI workflow (`.github/workflows/typos.yml:1`):

Replace pip install typos with official crate-ci/typos GitHub Action

Unpinned pip package version allows supply chain drift (`.github/workflows/typos.yml:1`):

Pin typos package version with hash verification or switch to official GitHub Action

Hardening Notes

• All GitHub Actions remain properly pinned to commit SHAs (actions/checkout, projectdiscovery/actions/*)
• Workflow triggers are limited to push events on dev branch and manual workflow_dispatch
• Bot execution is prevented via actor check
• No user-controlled input flows into shell commands

_{Comment @neo help for available commands. · Open in Neo}

[neo-by-projectdiscovery-dev]

🟡 Unpinned GitHub Actions allow supply chain attacks (CWE-1357) — GitHub Actions are pinned to mutable tags (@v2) instead of immutable commit SHAs. An attacker who compromises the actions/checkout or actions/setup-python repositories could inject malicious code that would execute in this workflow.

Attack Example

Attacker compromises actions/checkout repo and publishes malicious v2 tag that exfiltrates GITHUB_TOKEN and repository secrets

Suggested Fix

Pin actions to specific commit SHAs: uses: actions/checkout@<commit-sha> and uses: actions/setup-python@<commit-sha>. Use Dependabot to keep them updated.

[neo-by-projectdiscovery-dev]

🟡 Unpinned GitHub Actions in typos.toml workflow (CWE-1357) — GitHub Actions are pinned to mutable tags (@v2) instead of immutable commit SHAs. Same vulnerability as typos.yml - allows supply chain attacks if upstream actions are compromised.

Suggested Fix

Pin actions to specific commit SHAs: uses: actions/checkout@<commit-sha> and uses: actions/setup-python@<commit-sha>

[neo-by-projectdiscovery-dev]

🟡 Unpinned custom GitHub Actions in memogen workflow (CWE-1357) — Custom projectdiscovery actions are pinned to mutable tags (@v1, @v6) instead of commit SHAs. While these are internal actions, they still present supply chain risk if the actions repository is compromised.

Suggested Fix

Pin all actions to commit SHAs, including internal projectdiscovery/actions. Example: uses: actions/checkout@a12b3c4d5e6f... and uses: projectdiscovery/actions/setup/go@abc123...

[neo-by-projectdiscovery-dev]

🟡 Suboptimal typos installation method in CI workflow — The workflow installs typos via pip (Python package manager) instead of using the official GitHub Action or pre-built binaries. While the PyPI package is legitimate, this approach is less secure and less efficient than the recommended methods.

Suggested Fix

Replace the Python setup and pip install steps with the official typos GitHub Action:

```yaml
- name: Check spelling with typos
  uses: crate-ci/typos@v1.28.3

Alternatively, install the pre-built binary directly:

- name: Install typos
  run: |
    curl -LsSf https://github.com/crate-ci/typos/releases/latest/download/typos-x86_64-unknown-linux-musl.tar.gz | tar xzf - -C /usr/local/bin

</details>

<details>
<summary><strong>AI Agent Prompt</strong></summary>

Replace pip install typos with official crate-ci/typos GitHub Action

</details>

[neo-by-projectdiscovery-dev]

🟡 Unpinned pip package version allows supply chain drift — The command 'pip install typos' installs the latest version without pinning to a specific version or hash. This allows automatic updates that could introduce breaking changes or malicious code if the package is compromised.

Suggested Fix

If continuing with pip installation, pin to a specific version and verify with hash:

```yaml
- name: Install typos
  run: |
    pip install typos==1.40.0 --require-hashes --hash=sha256:...

However, switching to the official GitHub Action (as recommended above) is the better solution as it uses pinned commit SHAs.

</details>

<details>
<summary><strong>AI Agent Prompt</strong></summary>

Pin typos package version with hash verification or switch to official GitHub Action

</details>

[neo-by-projectdiscovery-dev]

🟡 Suboptimal typos installation method in CI workflow — The workflow installs typos via pip (Python package manager) instead of using the official GitHub Action or pre-built binaries. While the PyPI package is legitimate, this approach is less secure and less efficient than the recommended methods.

Suggested Fix

Replace the Python setup and pip install steps with the official typos GitHub Action:

```yaml
- name: Check spelling with typos
  uses: crate-ci/typos@v1.28.3

Alternatively, install the pre-built binary directly:

- name: Install typos
  run: |
    curl -LsSf https://github.com/crate-ci/typos/releases/latest/download/typos-x86_64-unknown-linux-musl.tar.gz | tar xzf - -C /usr/local/bin

</details>

<details>
<summary><strong>AI Agent Prompt</strong></summary>

Replace pip install typos with official crate-ci/typos GitHub Action

</details>

[neo-by-projectdiscovery-dev]

🟡 Unpinned pip package version allows supply chain drift — The command 'pip install typos' installs the latest version without pinning to a specific version or hash. This allows automatic updates that could introduce breaking changes or malicious code if the package is compromised.

Suggested Fix

If continuing with pip installation, pin to a specific version and verify with hash:

```yaml
- name: Install typos
  run: |
    pip install typos==1.40.0 --require-hashes --hash=sha256:...

However, switching to the official GitHub Action (as recommended above) is the better solution as it uses pinned commit SHAs.

</details>

<details>
<summary><strong>AI Agent Prompt</strong></summary>

Pin typos package version with hash verification or switch to official GitHub Action

</details>

[neo-by-projectdiscovery-dev]

🟠 Unpinned GitHub Action: projectdiscovery/actions/setup/git (CWE-829) — Action projectdiscovery/actions/setup/git@v1 uses mutable tag instead of commit SHA

Attack Example

Attacker updates @v1 tag → malicious code runs in workflow → exfiltrates secrets from environment → pushes backdoor via line 29

Suggested Fix

Pin to commit SHA: uses: projectdiscovery/actions/setup/git@<commit-sha> # v1

[neo-by-projectdiscovery-dev]

🟠 Unpinned GitHub Action: projectdiscovery/actions/commit (CWE-829) — Action projectdiscovery/actions/commit@v1 uses mutable tag instead of commit SHA

Attack Example

Attacker updates @v1 tag → malicious commit action injects backdoor into codebase → automated push (line 29) deploys malicious code

Suggested Fix

Pin to commit SHA: uses: projectdiscovery/actions/commit@<commit-sha> # v1

[SolariSystems]

Closing — the linked issue #6871 has been closed. Thanks for the consideration.