fix: harden supply-chain security — obfuscation scanner + advisory policy#458
fix: harden supply-chain security — obfuscation scanner + advisory policy#458SongotenU wants to merge 1 commit into
Conversation
…policy - Add CI workflow (supply-chain-scan.yml) scanning PR diffs for obfuscation/supply-chain attack patterns - Add .github/scripts/scan-obfuscation.sh: detection of packed code, hidden eval, global hijack, base64/hex payloads, build-config targeting - Update SECURITY.md: actionable advisory link, email fallback, supply-chain as in-scope - Non-blocking: scan runs on all PRs, auto-comments when suspicious patterns found but does not block merge - Mitigates real-world supply-chain attacks seen in this repo (PR Egonex-AI#198, Egonex-AI#206, Egonex-AI#261)
|
@codex review this |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: eaa63fe3c6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| echo "Diff lines: $(wc -l < /tmp/pr-diff.txt)" | ||
|
|
||
| - name: Run obfuscation scanner | ||
| run: bash .github/scripts/scan-obfuscation.sh |
There was a problem hiding this comment.
Because the job checks out the PR head before this line, a malicious fork PR can change .github/scripts/scan-obfuscation.sh in the same PR to simply exit 0 or omit the dangerous patterns, so the supply-chain scan is bypassed exactly in the untrusted PRs it is meant to catch. Run the scanner from the base repository/workflow checkout or otherwise pin the script before checking out untrusted code.
Useful? React with 👍 / 👎.
| echo "Diff lines: $(wc -l < /tmp/pr-diff.txt)" | ||
|
|
||
| - name: Run obfuscation scanner | ||
| run: bash .github/scripts/scan-obfuscation.sh |
There was a problem hiding this comment.
When scan-obfuscation.sh finds any warning it exits 1, and GitHub Actions keeps the job failed even though the following if: failure() comment step runs; without continue-on-error or capturing the exit code manually, PRs that only modify package.json or a build config will get a red check rather than the documented non-blocking warning, which can block merges if this workflow is required.
Useful? React with 👍 / 👎.
| await github.rest.issues.createComment({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| issue_number: context.issue.number, |
There was a problem hiding this comment.
In fork PRs, which this workflow explicitly targets, the pull_request GITHUB_TOKEN is read-only, while creating an issue/PR comment requires issues: write or pull-requests: write; this github.rest.issues.createComment call will fail with a permission error instead of surfacing the scanner warning to maintainers unless the notification is moved to a privileged follow-up workflow or another safe reporting mechanism.
Useful? React with 👍 / 👎.
2 participants
Summary
Hardens supply-chain security following real malicious PRs observed in this repo:
astro.config.mjsviaglobal['!']hijack + packed self-decoding blobChanges
1. SECURITY.md updates
security@egonex.ai) if advisories unavailable2. Obfuscation scanner script (
.github/scripts/scan-obfuscation.sh)Detects patterns commonly found in malicious PRs:
global['!']/global = globalhijacksrequirerebinding via global3. Supply-chain CI workflow (
.github/workflows/supply-chain-scan.yml)Test plan