AGE-56: CI Security Scans & Dependabot Configuration#556
Conversation
…en Unicode, hardcoded credentials - Remove stray EOFcat heredoc artifact from SECURITY.md (fixes msitarzewski#530) - Quote zk-steward description to fix YAML colon parsing (fixes msitarzewski#473) - Strip hidden Unicode soft hyphens from mobile-app-builder and app-store-optimizer headings (fixes msitarzewski#478) - Replace hardcoded passwords with process.env.TEST_PASSWORD (fixes msitarzewski#477) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR adds security scanning infrastructure (Dependabot, PR-time security scans, weekly full scans) and makes several housekeeping fixes to agent definition files, including replacing hardcoded test passwords with environment variables and cleaning up a stray shell artifact in SECURITY.md.
Changes:
- Adds three GitHub workflows/configs for security:
dependabot.yml,security-scan-pr.yml,security-scan-weekly.yml. - Replaces hardcoded test credentials in testing docs with
process.env.TEST_PASSWORD. - Cleans up small formatting issues in agent markdown files (broken emoji headings, YAML quoting, stray
EOFcatline).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/dependabot.yml | New Dependabot config covering npm/pip/docker/github-actions. |
| .github/workflows/security-scan-pr.yml | New PR-time scanning workflow (Trivy, Semgrep, CodeQL, Grype). |
| .github/workflows/security-scan-weekly.yml | New weekly full scan workflow (Trivy, Semgrep, Fossa, SBOM, report). |
| SECURITY.md | Removes a stray EOFcat SECURITY.md line. |
| engineering/engineering-mobile-app-builder.md | Fixes a broken heading character. |
| marketing/marketing-app-store-optimizer.md | Fixes a broken heading character. |
| specialized/zk-steward.md | Quotes the YAML description value containing a colon. |
| testing/testing-api-tester.md | Replaces hardcoded password with env var. |
| testing/testing-performance-benchmarker.md | Replaces hardcoded password with env var. |
Comments suppressed due to low confidence (3)
.github/workflows/security-scan-pr.yml:1
- With
exit-code: 1, the Trivy step fails the job on any CRITICAL/HIGH finding, but the subsequentUpload Trivy results to GitHubstep usesif: always(), which is correct. However, because Trivy fails the job, theresults-summaryjob (which depends on this job) will reportfailureeven when the SARIF was uploaded successfully. Consider settingexit-code: 0and instead enforcing the security gate via the GitHub code-scanning policy on the uploaded SARIF, which gives a clearer signal and avoids false-positive failures of the summary job.
name: Security Scan — Pull Request
.github/dependabot.yml:1
- The repository contains only Markdown agent definitions and shell scripts and has no
package.json,requirements.txt/pyproject.toml, orDockerfileat the root. Dependabot will log errors for each of these ecosystems on every run because it cannot find a manifest. Remove thenpm,pip, anddockerentries (keeping onlygithub-actions), or add them only when corresponding manifests are introduced.
version: 2
.github/dependabot.yml:1
reviewersandassigneesmust be valid GitHub usernames ororg/team-slugreferences. Bare strings likeengineering-teamandsecurity-engineerwill be rejected (or silently ignored) by Dependabot. Use the fully qualified team slug, e.g.your-org/engineering-team, or remove these fields if the teams don't exist.
version: 2
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| codeql-scan: | ||
| name: CodeQL Analysis | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: [javascript, python, go, typescript] |
| container: | ||
| image: returntocorp/semgrep:latest |
| env: | ||
| TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2 |
| - name: Fossa init | ||
| run: | | ||
| curl -sL https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash | ||
| fossa init 2>/dev/null || true | ||
|
|
||
| - name: Run Fossa analysis | ||
| run: | | ||
| fossa analyze 2>/dev/null || echo "Fossa analysis skipped (no config or no credentials)" |
| echo "| Scan | Status |" >> weekly-report.md | ||
| echo "|------|--------|" >> weekly-report.md | ||
| echo "| Trivy Full Scan | ${{ needs.trivy-full-scan.result }}" >> weekly-report.md | ||
| echo "| Semgrep Full Scan | ${{ needs.semgrep-full-scan.result }}" >> weekly-report.md | ||
| echo "| License Scan | ${{ needs.license-scan.result }}" >> weekly-report.md | ||
| echo "| SBOM Generated | ${{ needs.sbom-generate.result }}" >> weekly-report.md |
| const loginResponse = http.post(`${baseUrl}/api/auth/login`, { | ||
| email: 'test@example.com', | ||
| password: 'password123' | ||
| password: process.env.TEST_PASSWORD | ||
| }); |
|
Addressed the Copilot review feedback in commits e37fd35 and 9467e7f:
Remaining for full AGE-56 (requires admin access):
|
CEO Review — PR #556I've reviewed this PR as the final gate before human sign-off. Two observations: What's been addressed since Copilot reviewThe original Copilot review flagged three issues. The latest commit resolves all of them:
Remaining considerations before merge
RecommendationI recommend approving and merging this PR. The security workflow code is sound, all Copilot-flagged concerns have been resolved, and the only post-merge setup needed is the FOSSA_API_KEY secret for the weekly scan. |
Summary
Deploys security scanning workflows and Dependabot configuration across the monorepo as specified in AGE-37 CI Vulnerability Scanning.
Changes
Scanners
Remediation SLAs
Part of AGE-56