Add GitHub Actions workflow for private security scan#477
Add GitHub Actions workflow for private security scan#477
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #477 +/- ##
=======================================
Coverage 99.59% 99.59%
=======================================
Files 51 51
Lines 997 997
Branches 346 346
=======================================
Hits 993 993
Misses 4 4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Adds a scheduled + manually-triggerable GitHub Actions workflow to run MetroStar’s Epyon private-repo security scanning against this repository.
Changes:
- Introduces a new workflow triggered nightly (cron) and via
workflow_dispatch. - Wires workflow inputs (scan mode, subdirectory, Garak settings) through to the Epyon reusable workflow.
- Configures permissions and concurrency for the scan job.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: Private Security Scan | ||
|
|
||
| # Epyon private-repo scanner entrypoint. | ||
| # This workflow delegates execution to the local reusable workflow. |
There was a problem hiding this comment.
The header comment says this delegates to a "local reusable workflow", but the job actually calls a reusable workflow in the external MetroStar/epyon repository. Please update the comment to accurately describe where the workflow is sourced from (or switch to a local reusable workflow if that was the intent).
| # This workflow delegates execution to the local reusable workflow. | |
| # This workflow delegates execution to the reusable workflow in the MetroStar/epyon repository. |
| pull-requests: write | ||
| security-events: write | ||
| issues: write | ||
| uses: MetroStar/epyon/.github/workflows/epyon-scan.yml@main |
There was a problem hiding this comment.
The reusable workflow is referenced with @main, which is mutable. For supply-chain safety, pin reusable workflow calls to an immutable ref (a tag or, preferably, a full commit SHA) so a change upstream can’t silently alter what runs in this repository.
| uses: MetroStar/epyon/.github/workflows/epyon-scan.yml@main | |
| uses: MetroStar/epyon/.github/workflows/epyon-scan.yml@v1 |
| garak_target_type: ${{ github.event.inputs.garak_target_type || 'openai' }} | ||
| garak_target_name: ${{ github.event.inputs.garak_target_name || 'gpt-4o-mini' }} | ||
| garak_probes: ${{ github.event.inputs.garak_probes || 'promptinject' }} | ||
| secrets: inherit |
There was a problem hiding this comment.
secrets: inherit passes all repository/environment secrets to the called workflow in another repo. To reduce blast radius if the upstream workflow is ever compromised (or misbehaves), pass only the specific secrets the scan needs (and keep the reusable workflow ref pinned to an immutable SHA).
| secrets: inherit | |
| secrets: | |
| EPYON_SCAN_TOKEN: ${{ secrets.EPYON_SCAN_TOKEN }} |
Description
Adding Epyon file for code scanning checks. This will run nightly and can be run through actions manually