Release JavaScript Azure KMS Storage v1.0.0#872
Release JavaScript Azure KMS Storage v1.0.0#872stas-schaller wants to merge 21 commits intomasterfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/azure | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
| cache-dependency-path: sdk/javascript/packages/azure/package-lock.json | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To resolve this issue, an explicit permissions block should be added to the workflow or at the job level to restrict GITHUB_TOKEN access in accordance with principle of least privilege. Since the job is only checking out code, installing dependencies, and running tests, it needs only read access to repository contents—contents: read—and does not require any write privileges. To implement the fix, add a permissions: block to the root of the workflow YAML (above jobs:) or within the job itself (recommended at the root for coverage of all jobs). No other imports, methods, or definitions are necessary; this is a direct configuration change within the workflow file.
| @@ -14,6 +14,8 @@ | ||
| - 'sdk/javascript/packages/azure/**' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| test: | ||
| runs-on: ubuntu-latest |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
| needs: generate-sbom | ||
| if: ${{ github.event.inputs.publish == 'true' }} | ||
| environment: prod | ||
| runs-on: ubuntu-latest | ||
|
|
||
| defaults: | ||
| run: | ||
| working-directory: ./sdk/javascript/packages/azure | ||
|
|
||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Retrieve secrets from KSM | ||
| id: ksmsecrets | ||
| uses: Keeper-Security/ksm-action@master | ||
| with: | ||
| keeper-secret-config: ${{ secrets.KSM_KSM_CONFIG }} | ||
| secrets: | | ||
| NScQiZwrHJFCPv1gL8TX6Q/field/password > env:NPM_TOKEN | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install | ||
|
|
||
| - name: Build package | ||
| run: npm run build | ||
|
|
||
| - name: Publish package | ||
| run: npm publish |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, fix this by adding an explicit permissions: section that grants only the minimal access required. For this workflow, neither job appears to need write access to repository contents, issues, or pull requests. They read the code (via actions/checkout) and interact with external services using separate secrets. Therefore, setting contents: read at the workflow level is an appropriate minimal starting point. If future changes require additional scopes, they can be added explicitly.
The best way to fix this without changing existing functionality is to add a workflow-level permissions: block directly under the name: (line 1). This will apply to both generate-sbom and publish-npm unless overridden per job. Use:
permissions:
contents: readNo other code or configuration changes are needed. We do not need any imports or additional methods, since this is purely a YAML configuration change.
| @@ -1,4 +1,6 @@ | ||
| name: Publish Azure Storage to NPM | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Get the source code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20' | ||
|
|
||
| - name: Install package dependencies | ||
| run: npm install | ||
| working-directory: ./sdk/javascript/packages/azure | ||
|
|
||
| - name: Install Syft | ||
| run: | | ||
| echo "Installing Syft v1.18.1..." | ||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp/bin v1.18.1 | ||
| echo "/tmp/bin" >> $GITHUB_PATH | ||
|
|
||
| - name: Install Manifest CLI | ||
| run: | | ||
| echo "Installing Manifest CLI v0.18.3..." | ||
| curl -sSfL https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh | sh -s -- -b /tmp/bin v0.18.3 | ||
|
|
||
| - name: Create Syft configuration | ||
| run: | | ||
| cat > syft-config.yaml << 'EOF' | ||
| package: | ||
| search: | ||
| scope: all-layers | ||
| cataloger: | ||
| enabled: true | ||
| java: | ||
| enabled: false | ||
| python: | ||
| enabled: false | ||
| nodejs: | ||
| enabled: true | ||
| EOF | ||
|
|
||
| - name: Generate and upload SBOM | ||
| env: | ||
| MANIFEST_API_KEY: ${{ secrets.MANIFEST_TOKEN }} | ||
| run: | | ||
| JAVASCRIPT_SDK_DIR="./sdk/javascript" | ||
|
|
||
| # Get version from package.json | ||
| echo "Detecting Azure Storage version..." | ||
| if [ -f "${JAVASCRIPT_SDK_DIR}/packages/azure/package.json" ]; then | ||
| VERSION=$(grep -o '"version": "[^"]*"' "${JAVASCRIPT_SDK_DIR}/packages/azure/package.json" | cut -d'"' -f4) | ||
| echo "Detected version: ${VERSION}" | ||
| else | ||
| VERSION="1.0.0" | ||
| echo "Could not detect version, using default: ${VERSION}" | ||
| fi | ||
|
|
||
| echo "Generating SBOM with Manifest CLI..." | ||
| /tmp/bin/manifest sbom "${JAVASCRIPT_SDK_DIR}/packages/azure" \ | ||
| --generator=syft \ | ||
| --name=keeper-secrets-manager-javascript-storage-azure-kms \ | ||
| --version=${VERSION} \ | ||
| --output=spdx-json \ | ||
| --file=azure-storage-sbom.json \ | ||
| --api-key=${MANIFEST_API_KEY} \ | ||
| --publish=true \ | ||
| --asset-label=application,sbom-generated,nodejs,azure-storage \ | ||
| --generator-config=syft-config.yaml | ||
|
|
||
| echo "SBOM generated and uploaded successfully: azure-storage-sbom.json" | ||
| echo "---------- SBOM Preview (first 20 lines) ----------" | ||
| head -n 20 azure-storage-sbom.json | ||
|
|
||
| publish-npm: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to define an explicit permissions: block that restricts the GITHUB_TOKEN to the minimal scope needed. For this workflow, neither job appears to need repository write access: they check out code, install dependencies, run build and publish to external services, and upload SBOMs via Manifest’s API, all without writing back to the GitHub repository. Therefore, using contents: read (and no write permissions) is sufficient.
The best minimal fix without changing functionality is to add a top-level permissions: block just under the name: or on: section in .github/workflows/publish.npm.storage.azure.kms.yml. This applies to all jobs that don’t override it. We set:
permissions:
contents: readNo additional imports or methods are required, as this is a configuration-only change in the workflow file. Concretely, insert the permissions: block between the on: section and the jobs: section (i.e., after line 9 and the blank line 10, or directly on a new line after line 10), preserving indentation.
| @@ -8,6 +8,9 @@ | ||
| default: true | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| generate-sbom: | ||
| runs-on: ubuntu-latest |
* Bump version * fix: resolve DOM Clobbering CVE-2024-43788 (#689) * fix: resolve DOM Clobbering CVE-2024-43788 * Upgrade JavaScript tests GHA to use Node 20 * fixed moduleResolution in tsconfig updated all dependencies * Added Azure kms support to KSM javascript sdk * Removed tsconfig from gitignore, moved rimraf to dev dependencies * Fixed issues in builing process due to type erros in @azure/msal-node * Fixed issues related encryption wiping out credentials if failed. --------- Co-authored-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: satish_chandra <metron_satish@safebreach.com>
- Updates jws from 3.2.2 to 3.2.3 (via jsonwebtoken) - Resolves HIGH severity vulnerability (CVSS 7.5) - Fixes improper HMAC signature verification in auth0/node-jws
Fixes GHSA-7h2j-956f-4vf2 (CVE-2026-25547) DoS vulnerability
stas-schaller
force-pushed
the
release/storage/javascript/azure-kms/v1.0.0
branch
from
2e7332e to
0373e29
Compare
…-835) Object.keys(config) returns an array, so `key in Object.keys(config)` checks numeric indices and always returns false for real config keys. Replace with `key in config` to check property names on the object. Adds regression tests for both methods.
2 participants
Summary
Release branch for v1.0.0 — initial release of the Azure Key Vault storage integration for the Keeper Secrets Manager JavaScript SDK.
Changes
New Features
AzureSessionConfigcredential config, and environment-variable-basedDefaultAzureCredentialBug Fixes
key in Object.keys(config)checked array indices instead of object property names, causingdelete()to silently no-op andcontains()to always returnfalse; fixed tokey in configMaintenance
@keeper-security/secrets-manager-coredependency to v17.3.0Breaking Changes
None.
Related Issues