chore: add Dependabot configuration and critical-vuln gate#38
Conversation
📝 WalkthroughSummary
Risk: risk:medium Security-sensitive areas
Test coverage impact
Operational concerns
WalkthroughChangesSecurity Automation
Estimated code review effort: 3 (Moderate) | ~20 minutes Suggested labels: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/critical-vuln-check.yml:
- Line 36: Pin the reusable workflow reference to an immutable commit SHA
instead of the mutable `@main` ref. Update
.github/workflows/critical-vuln-check.yml:36 and
.github/workflows/dependabot-auto-merge.yml:35 to use the same verified SHA for
simplify9/.github/.github/workflows/critical-vuln-gate.yml.
- Around line 31-32: Remove the contents: write permission from the workflow
permissions block, retaining only security-events: read for the Dependabot alert
check and reusable action.
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 23-25: Add a concurrency configuration to the workflow containing
the pull_request trigger, using a group keyed to the workflow and pull request
identity and enabling cancellation of in-progress runs so newer Dependabot
updates supersede older runs.
- Line 47: Pin the dependabot/fetch-metadata action in the workflow to a full
commit SHA instead of the mutable v2 tag, while preserving the existing action
version and permissions configuration.
- Around line 58-61: Replace the inline GitHub Actions expression for
steps.metadata.outputs.package-ecosystem in the run block with a job-step
environment variable, then reference that variable in the notice command
alongside PR_URL. Keep the existing auto-merge command and behavior unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: simplify9/coderabbit/.coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4fe8abdb-3800-42fa-ae13-4b7a8c8311e8
📒 Files selected for processing (3)
.github/dependabot.yml.github/workflows/critical-vuln-check.yml.github/workflows/dependabot-auto-merge.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**
⚙️ CodeRabbit configuration file
.github/workflows/**: Treat GitHub Actions changes as supply-chain sensitive.Check for:
- Overbroad permissions
- Missing explicit permissions blocks
- Unpinned third-party actions
- Unsafe pull_request_target usage
- Secret exposure
- Shell injection risks
- Untrusted input used in scripts
- Dangerous artifact upload/download behavior
- Missing least-privilege permissions
Files:
.github/workflows/dependabot-auto-merge.yml.github/workflows/critical-vuln-check.yml
🪛 zizmor (1.26.1)
.github/workflows/dependabot-auto-merge.yml
[error] 28-28: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level
(excessive-permissions)
[error] 29-29: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[info] 60-60: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 35-35: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 47-47: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 28-28: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[error] 41-41: spoofable bot actor check (bot-conditions): actor context may be spoofable
(bot-conditions)
[info] 39-39: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 23-25: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
.github/workflows/critical-vuln-check.yml
[error] 31-31: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 31-31: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🔇 Additional comments (1)
.github/dependabot.yml (1)
1-36: LGTM!
| contents: write | ||
| security-events: read |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Inspect the reusable workflow to verify its actual permission requirements.
# Fetch the critical-vuln-gate.yml workflow file from simplify9/.github
gh api repos/simplify9/.github/contents/.github/workflows/critical-vuln-gate.yml \
--jq '.content' | base64 -d | grep -A5 'permissions:'Repository: simplify9/SW-CloudFiles
Length of output: 443
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the reusable action invoked by the workflow to see which permissions it actually needs.
gh api repos/simplify9/.github/contents/.github/actions/check-critical-vulns/action.yml --jq '.content' | base64 -d
printf '\n---\n'
# If the action is implemented via script, inspect the script entrypoint too.
gh api repos/simplify9/.github/contents/.github/actions/check-critical-vulns --jq '.[] | .path' | sed -n '1,20p'Repository: simplify9/SW-CloudFiles
Length of output: 10844
Drop contents: write here — this gate only queries Dependabot alerts and the reusable action takes a PAT/App token, so repository write access is unused. Narrow the job to the minimum scope needed.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 31-31: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[warning] 31-31: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/critical-vuln-check.yml around lines 31 - 32, Remove the
contents: write permission from the workflow permissions block, retaining only
security-events: read for the Dependabot alert check and reusable action.
Source: Path instructions
|
|
||
| jobs: | ||
| vuln-gate: | ||
| uses: simplify9/.github/.github/workflows/critical-vuln-gate.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Unpinned reusable workflow simplify9/.github/.github/workflows/critical-vuln-gate.yml@main — supply-chain risk.
Both workflows reference the same reusable workflow via a mutable @main branch ref. If simplify9/.github's main branch is compromised, arbitrary code executes with contents: write and security-events: read in every consuming repo. Pin to a commit SHA in both files.
.github/workflows/critical-vuln-check.yml#L36-L36: Replace@mainwith a pinned commit SHA..github/workflows/dependabot-auto-merge.yml#L35-L35: Replace@mainwith the same pinned commit SHA.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
📍 Affects 2 files
.github/workflows/critical-vuln-check.yml#L36-L36(this comment).github/workflows/dependabot-auto-merge.yml#L35-L35
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/critical-vuln-check.yml at line 36, Pin the reusable
workflow reference to an immutable commit SHA instead of the mutable `@main` ref.
Update .github/workflows/critical-vuln-check.yml:36 and
.github/workflows/dependabot-auto-merge.yml:35 to use the same verified SHA for
simplify9/.github/.github/workflows/critical-vuln-gate.yml.
Sources: Path instructions, Linters/SAST tools
| on: | ||
| pull_request: | ||
| branches: [main, develop] |
There was a problem hiding this comment.
🚀 Performance & Scalability | 🔵 Trivial
Missing concurrency control allows redundant runs.
Multiple pushes to the same Dependabot PR trigger parallel workflow runs. Adding a concurrency group cancels superseded runs and saves CI minutes.
♻️ Proposed fix
on:
pull_request:
branches: [main, develop]
+concurrency:
+ group: dependabot-auto-merge-${{ github.event.pull_request.number }}
+ cancel-in-progress: true
+
permissions:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| pull_request: | |
| branches: [main, develop] | |
| on: | |
| pull_request: | |
| branches: [main, develop] | |
| concurrency: | |
| group: dependabot-auto-merge-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 23-25: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependabot-auto-merge.yml around lines 23 - 25, Add a
concurrency configuration to the workflow containing the pull_request trigger,
using a group keyed to the workflow and pull request identity and enabling
cancellation of in-progress runs so newer Dependabot updates supersede older
runs.
Source: Linters/SAST tools
| steps: | ||
| - name: Fetch Dependabot metadata | ||
| id: metadata | ||
| uses: dependabot/fetch-metadata@v2 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial
dependabot/fetch-metadata@v2 pinned to tag, not SHA.
While this is a first-party GitHub action, SHA pinning is recommended for security-sensitive workflows. A compromised tag would execute with pull-requests: write and contents: write in this repo's context.
🔒 Proposed fix
- uses: dependabot/fetch-metadata@v2
+ uses: dependabot/fetch-metadata@<full-commit-sha>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: dependabot/fetch-metadata@v2 | |
| uses: dependabot/fetch-metadata@<full-commit-sha> |
🧰 Tools
🪛 zizmor (1.26.1)
[error] 47-47: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependabot-auto-merge.yml at line 47, Pin the
dependabot/fetch-metadata action in the workflow to a full commit SHA instead of
the mutable v2 tag, while preserving the existing action version and permissions
configuration.
Source: Linters/SAST tools
| run: | | ||
| set -euo pipefail | ||
| echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${{ steps.metadata.outputs.package-ecosystem }} bump, vuln gate passed" | ||
| gh pr merge --auto --squash "$PR_URL" |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Template injection in echo via inline expansion.
${{ steps.metadata.outputs.package-ecosystem }} is expanded directly into the run block. While the value is Dependabot-controlled and the job is gated on dependabot[bot] actor, use an environment variable for defense-in-depth — PR_URL is already passed this way.
As per path instructions, GitHub Actions changes should be checked for shell injection risks and untrusted input used in scripts.
🛡️ Proposed fix
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_URL: ${{ github.event.pull_request.html_url }}
+ PACKAGE_ECOSYSTEM: ${{ steps.metadata.outputs.package-ecosystem }}
run: |
set -euo pipefail
- echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${{ steps.metadata.outputs.package-ecosystem }} bump, vuln gate passed"
+ echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${PACKAGE_ECOSYSTEM} bump, vuln gate passed"
gh pr merge --auto --squash "$PR_URL"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| run: | | |
| set -euo pipefail | |
| echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${{ steps.metadata.outputs.package-ecosystem }} bump, vuln gate passed" | |
| gh pr merge --auto --squash "$PR_URL" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| PACKAGE_ECOSYSTEM: ${{ steps.metadata.outputs.package-ecosystem }} | |
| run: | | |
| set -euo pipefail | |
| echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${PACKAGE_ECOSYSTEM} bump, vuln gate passed" | |
| gh pr merge --auto --squash "$PR_URL" |
🧰 Tools
🪛 zizmor (1.26.1)
[info] 60-60: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependabot-auto-merge.yml around lines 58 - 61, Replace
the inline GitHub Actions expression for
steps.metadata.outputs.package-ecosystem in the run block with a job-step
environment variable, then reference that variable in the notice command
alongside PR_URL. Keep the existing auto-merge command and behavior unchanged.
Sources: Path instructions, Linters/SAST tools
Adds
.github/dependabot.yml(category:nuget-api, target-branch:main),.github/workflows/critical-vuln-check.yml, and.github/workflows/dependabot-auto-merge.ymlas part of the org-wide Dependabot rollout.