From c67e0b6747df42ab6bbdfb5ffc49ce83298158da Mon Sep 17 00:00:00 2001 From: Rahul Devikar Date: Mon, 9 Feb 2026 20:27:28 -0800 Subject: [PATCH 1/2] Add security workflows: pre-commit hooks, dependency review, CodeQL for JavaScript/TypeScript --- .github/workflows/codeql.yml | 44 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 24 ++++++++++++++ .pre-commit-config.yaml | 43 ++++++++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..8cbf0a5c --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +# CodeQL Analysis for JavaScript/TypeScript +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Run every Monday at 9:00 AM UTC + - cron: '0 9 * * 1' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze JavaScript/TypeScript + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: javascript-typescript + queries: +security-extended,security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:javascript-typescript" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..9ae691e4 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,24 @@ +# Dependency Review - blocks PRs that introduce known-vulnerable dependencies +name: Dependency Review + +on: + pull_request: + branches: [main] + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: high + comment-summary-in-pr: always + deny-licenses: GPL-3.0, AGPL-3.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..6cc580b9 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,43 @@ +# Pre-commit hooks for Agent365-nodejs +# Install: pip install pre-commit && pre-commit install +# Run manually: pre-commit run --all-files + +repos: + # Gitleaks - detect secrets in code + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.4 + hooks: + - id: gitleaks + + # Whitespace fixes + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + - id: mixed-line-ending + args: [--fix=lf] + - id: check-merge-conflict + - id: check-yaml + args: [--allow-multiple-documents] + - id: check-json + + # Node.js/TypeScript specific + - repo: https://github.com/pre-commit/mirrors-eslint + rev: v9.5.0 + hooks: + - id: eslint + files: \.[jt]sx?$ + types: [file] + additional_dependencies: + - eslint@9.5.0 + - typescript + - "@typescript-eslint/parser" + - "@typescript-eslint/eslint-plugin" + + - repo: https://github.com/pre-commit/mirrors-prettier + rev: v4.0.0-alpha.8 + hooks: + - id: prettier + types_or: [javascript, typescript, json, yaml, markdown] From 51bfb7b7b26fe0101d6a61a6fc4ba849e951a711 Mon Sep 17 00:00:00 2001 From: Rahul Devikar Date: Mon, 9 Feb 2026 20:39:43 -0800 Subject: [PATCH 2/2] Add security workflows: pre-commit hooks, dependency review --- .github/workflows/codeql.yml | 44 ------------------------- .github/workflows/dependency-review.yml | 2 +- .pre-commit-config.yaml | 4 +-- 3 files changed, 3 insertions(+), 47 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 8cbf0a5c..00000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,44 +0,0 @@ -# CodeQL Analysis for JavaScript/TypeScript -name: CodeQL - -on: - push: - branches: [main] - pull_request: - branches: [main] - schedule: - # Run every Monday at 9:00 AM UTC - - cron: '0 9 * * 1' - -permissions: - actions: read - contents: read - security-events: write - -jobs: - analyze: - name: Analyze JavaScript/TypeScript - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '20' - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: javascript-typescript - queries: +security-extended,security-and-quality - - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:javascript-typescript" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9ae691e4..ab3c5558 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,4 +21,4 @@ jobs: with: fail-on-severity: high comment-summary-in-pr: always - deny-licenses: GPL-3.0, AGPL-3.0 + deny-licenses: GPL-3.0-only, AGPL-3.0-only diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6cc580b9..96d068bc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -25,13 +25,13 @@ repos: # Node.js/TypeScript specific - repo: https://github.com/pre-commit/mirrors-eslint - rev: v9.5.0 + rev: v9.39.1 hooks: - id: eslint files: \.[jt]sx?$ types: [file] additional_dependencies: - - eslint@9.5.0 + - eslint@9.39.1 - typescript - "@typescript-eslint/parser" - "@typescript-eslint/eslint-plugin"