fix: address OpenSSF Scorecard findings#91
Conversation
- Add SECURITY.md (#85) - Scope workflow token permissions to least privilege (#86) - Pin all GitHub Action dependencies to commit SHAs (#87) - Update vulnerable dependencies via npm audit fix (#88) - Add schedule trigger to CodeQL for full SAST coverage (#89) - Ensure CI and SAST run on all pushes and PRs (#90) Closes #85, #86, #87, #88, #89, #90 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughTop-level GitHub Actions workflows now declare empty workflow-level permissions ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository to address OpenSSF Scorecard findings by adding a security policy, tightening GitHub Actions token permissions, pinning GitHub Actions to commit SHAs, updating vulnerable transitive npm deps, and expanding CodeQL coverage.
Changes:
- Add
SECURITY.mdsecurity policy and reporting process. - Update GitHub Actions workflows to use top-level
permissions: read-all, scope job permissions, and pinuses:actions to commit SHAs. - Run
npm audit fixto update vulnerable transitive dependencies (brace-expansion,yaml) inpackage-lock.json, and add a scheduled CodeQL run.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| package-lock.json | Updates transitive dependencies to remediate reported vulnerabilities. |
| SECURITY.md | Adds a security policy and private vulnerability reporting instructions. |
| .github/workflows/sonarcloud.yml | Adds top-level read-only permissions and pins actions to SHAs. |
| .github/workflows/playwright-tests.yml | Adds top-level read-only permissions and pins actions to SHAs (but job permissions are too restrictive for cache/artifacts). |
| .github/workflows/nodejs-tests.yml | Adds top-level read-only permissions and pins actions to SHAs (but job permissions are too restrictive for cache). |
| .github/workflows/dependabot-automerge.yml | Moves to top-level read-only permissions and scopes write permissions to the dependabot job; pins actions. |
| .github/workflows/coverage.yml | Adds top-level read-only permissions and pins actions to SHAs. |
| .github/workflows/codeql-analysis.yml | Adds schedule trigger, top-level permissions, job-scoped write for security-events, and pins CodeQL actions. |
| .github/workflows/claude.yml | Adds top-level permissions and retains job-scoped permissions needed for PR/issue interactions; pins action. |
| .github/workflows/ci.yml | Adds top-level read-only permissions, scopes write to the autofix job, and pins actions to SHAs. |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
SECURITY.md (1)
5-8: Consider replacinglatestwith concrete support targets.Using explicit branches/semver ranges (for example,
mainor>=x.y.z) makes the policy easier for reporters to interpret.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@SECURITY.md` around lines 5 - 8, The policy table currently lists "latest" as the supported Version; replace that ambiguous token with explicit support targets (e.g., a branch name like "main" or a semver range such as ">=1.2.0") so reporters know exactly what is supported; update the table row that contains "latest" under the Version column to a concrete branch or semver expression and adjust the Supported column if needed to reflect the exact coverage..github/workflows/coverage.yml (1)
3-3: Usepermissions: {}for deny-by-default workflow token baseline.
permissions: read-allat workflow scope is redundant—every job already defines explicit job-level permissions that override it. Tightening the default topermissions: {}is safer for future jobs and prevents accidental permission leakage if a new job without explicit permissions is added.Suggested change
-permissions: read-all +permissions: {}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/coverage.yml at line 3, The workflow-level permission setting "permissions: read-all" is too permissive; change the workflow's top-level permissions to an explicit deny-by-default by replacing "permissions: read-all" with "permissions: {}" so job-level permissions remain authoritative and prevent accidental token privilege leakage.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/coverage.yml:
- Line 3: The workflow-level permission setting "permissions: read-all" is too
permissive; change the workflow's top-level permissions to an explicit
deny-by-default by replacing "permissions: read-all" with "permissions: {}" so
job-level permissions remain authoritative and prevent accidental token
privilege leakage.
In `@SECURITY.md`:
- Around line 5-8: The policy table currently lists "latest" as the supported
Version; replace that ambiguous token with explicit support targets (e.g., a
branch name like "main" or a semver range such as ">=1.2.0") so reporters know
exactly what is supported; update the table row that contains "latest" under the
Version column to a concrete branch or semver expression and adjust the
Supported column if needed to reflect the exact coverage.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 42c031e1-cefe-4ee5-806c-3dd5a982a534
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (9)
.github/workflows/ci.yml.github/workflows/claude.yml.github/workflows/codeql-analysis.yml.github/workflows/coverage.yml.github/workflows/dependabot-automerge.yml.github/workflows/nodejs-tests.yml.github/workflows/playwright-tests.yml.github/workflows/sonarcloud.ymlSECURITY.md
- Replace permissions: read-all with permissions: {} (deny-by-default)
- Use concrete version target (main branch) in SECURITY.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Jobs using actions/cache and actions/upload-artifact need actions: write permission at the job level to function correctly with deny-by-default workflow permissions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The action has separate inputs for API keys vs OAuth tokens. CLAUDE_CODE_OAUTH_TOKEN is an OAuth token, not an API key.
|



Summary
SECURITY.mdfor security policy (Scorecard: Security-Policy (0/10) #85)permissions: read-allto all workflow files, with job-level scoping for write access (Scorecard: Token-Permissions (0/10) #86)brace-expansion,yaml) vianpm audit fix(Scorecard: Vulnerabilities (8/10) #88)scheduletrigger and ensurepush/pull_requesttriggers on CodeQL workflow for full SAST coverage (Scorecard: SAST (9/10) #89)pushandpull_requesttomain(Scorecard: CI-Tests (9/10) #90)Closes #85, #86, #87, #88, #89, #90
Test plan
npm auditreports 0 vulnerabilities🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
Security