feat: add missing security workflows (dependency-review, trivy, zizmor)#56
feat: add missing security workflows (dependency-review, trivy, zizmor)#56
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com>
|
Set Complaice |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 862d41e3e7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| zizmor --format plain .github/workflows/ | ||
| EXIT_CODE=$? |
There was a problem hiding this comment.
This step currently runs zizmor --format plain .github/workflows/ as a standalone command, but GitHub Actions executes run scripts with bash -e, so a non-zero zizmor exit (i.e., findings detected) aborts the script before EXIT_CODE=$? and the warning path run. In practice, workflow-security findings will fail the job and block the PR, which contradicts the documented advisory intent for this workflow.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds the missing GitHub Actions security workflows referenced in the repo’s compliance/security documentation, closing the gap between documented controls and implemented controls.
Changes:
- Adds a Dependency Review workflow to block PRs that introduce HIGH/CRITICAL vulnerable dependencies.
- Adds a Trivy filesystem scan workflow that uploads SARIF results to GitHub Code Scanning (with fork-PR upload safeguards).
- Adds a zizmor workflow to audit workflow-file changes in advisory mode.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/dependency-review.yml |
Adds dependency diff vulnerability gating for PRs into master/work. |
.github/workflows/trivy.yml |
Adds Trivy FS scanning and SARIF upload to Code Scanning with fork-PR upload skip logic. |
.github/workflows/zizmor.yml |
Adds advisory zizmor auditing for changes under .github/workflows/**. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| zizmor --format plain .github/workflows/ | ||
| EXIT_CODE=$? | ||
| if [ $EXIT_CODE -ne 0 ]; then | ||
| echo "::warning::zizmor found workflow security findings (advisory). Review the output above before merging." | ||
| fi | ||
| exit 0 |
| permissions: | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| jobs: | ||
| trivy: | ||
| name: Trivy filesystem scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Run Trivy filesystem scan | ||
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.30.0 |
Three GitHub Actions security workflows referenced throughout compliance docs (
security-workflows.md,github-settings-checklist.md,security-posture.md) did not exist in the repo, creating a gap between documented controls and implemented controls. This resolves that gap.Changes
.github/workflows/dependency-review.yml— blocks PRs onmaster/workthat introduce HIGH/CRITICAL dependency vulnerabilities viaactions/dependency-review-action@v4.7.1.github/workflows/trivy.yml— filesystem scan on every push/PR; uploads SARIF to code scanning; SARIF upload skipped on forked PRs to avoid permissions failure; advisory (non-blocking).github/workflows/zizmor.yml— audits/.github/workflows/**changes for workflow security issues viapip install zizmor; advisory, emits::warning::annotation on findings rather than failing the jobAll three workflows:
persist-credentials: falseon checkoutpermissions: contents: readat workflow level;security-events: writeadded only where SARIF upload requires itWhat still requires manual GitHub UI action
Branch protection rulesets, Dependabot alerts, secret scanning, and CodeQL default setup — see
docs/github-settings-checklist.md.AI Disclosure (optional)
Review Checklist
💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.