Draft
Conversation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add buildability detection for Dockerfiles before attempting scan - Skip if using private registries (ECR, GCR, ACR) - Skip if requiring secret build args (TOKEN, KEY, PASSWORD, etc.) - Show skip reason in job summary Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add summary job that runs after all scans complete - Shows stack detection results (languages, container, IaC) - Displays job status for each scanning category - Posts consolidated PR comment via Argus security-summary action - Links to Security tab for detailed findings Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Move GitHub context interpolation from run: scripts to env: blocks to prevent potential shell injection attacks via crafted branch names or other user-controlled inputs. - Use env vars for detect outputs in summary job - Use env var for image tag in container job - Properly quote environment variables in shell commands Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove duplicate summary logic (shell script + 100-line JavaScript) and let Argus security-summary action handle PR commenting directly with post_pr_comment: true. Reduces summary job from ~180 lines to 12 lines. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change scheduled scans from daily to weekly (Sundays 2 AM UTC) - Add concurrency group to cancel outdated PR scan runs - Keep main branch and scheduled runs completing fully Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🔒 Security Scan SummaryBranch: Workflow Run: 8 Scanners Executed: 4 Scanner Results🔍 Bandit Python SecurityStatus: ✅ Completed 📊 Findings Summary
✅ No security findings detected! 📁 Artifacts: Bandit Reports 🔬 CodeQL SAST ()Status: Completed Findings Summary
Finding Details
Artifacts: CodeQL Reports () 🔍 OpenGrep SASTStatus: Completed Findings Summary
ERROR: 394 error-severity findings need immediate attention WARNING: 141 warning-severity findings should be reviewed Finding Details
Showing 20 of 535 findings. See artifacts for complete list. Artifacts: OpenGrep Reports Generated by Argus Generated by Argus |
Replace 225-line custom workflow with 27-line reusable workflow. Argus handles language detection, scanner orchestration, and PR comments. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move permissions under job (not workflow level) - Pass secrets explicitly instead of inherit Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reusable workflow requires actions:read, checks:write, id-token:write Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Includes packages:read needed by nested scanner jobs. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🛡️ Security Hardening Pipeline ResultsRepository: huntridge-labs/vets-api 🔬 CodeQL SAST (Ruby)Status: Completed Findings Summary
Finding Details
Artifacts: CodeQL Reports (Ruby) 🔍 OpenGrep SASTStatus: Completed Findings Summary
ERROR: 394 error-severity findings need immediate attention WARNING: 141 warning-severity findings should be reviewed Finding Details
Showing 20 of 535 findings. See artifacts for complete list. Artifacts: OpenGrep Reports 🔍 Bandit Python SecurityStatus: ✅ Completed 📊 Findings Summary
✅ No security findings detected! 📁 Artifacts: Bandit Reports 🔍 GitLeaksStatus: ⏭️ Skipped 🛡️ ClamAVStatus: ✅ Completed Files Scanned: 13482 📁 Artifacts: ClamAV Reports 🐳 Container SecurityStatus: ✅ Completed 📊 Combined Findings Summary
Scanned: 1 containers | Build Failures: 0 🔍 Detailed Findings by Container🚨 postman - 129 vulnerabilities (125 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (89 findings, 58 unique)
...and 39 more ⚓ Grype Scanner (123 findings, 86 unique)
...and 73 more 📁 Artifacts: Container Scan Reports 🐳 Container Security (Parallel Scan)Status: ✅ Completed 📊 Combined Findings Summary
Scanned: 1 containers | Build Failures: 0 🔍 Detailed Findings by Container🚨 postman - 129 vulnerabilities (125 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (89 findings, 58 unique)
...and 39 more ⚓ Grype Scanner (123 findings, 86 unique)
...and 73 more 📁 Artifacts: Container Scan Reports 🔍 Trivy IaC ScannerStatus: ⏭️ Skipped (no IaC directory found) 🏗️ Checkov IaC SecurityStatus: ⏭️ Skipped (no IaC directory found) 📦 OSV Dependency ScanStatus: 📊 Severity Summary
🚨 CRITICAL: 2 critical severity vulnerabilities require immediate attention 🔍 Vulnerability Details (21)🚨 CRITICAL Severity (2)
|
| Package | Version | Fixed | ID | Summary |
|---|---|---|---|---|
| addressable | 2.8.9 | 2.9.0 | GHSA-h27x-rffw-24p4 | Addressable has a Regular Expression Denial of Service in Addressable templates |
| rack | 3.2.5 | 2.2.23 | GHSA-8vqr-qjwx-82mw | Rack's multipart parsing without Content-Length header allows unbounded chunked |
| rack | 3.2.5 | 2.2.23 | GHSA-h2jq-g4cq-5ppq | Rack::Static prefix matching can expose unintended files under the static root |
| rack | 3.2.5 | 3.1.21 | GHSA-v6x5-cg8r-vv6x | Rack's multipart header parsing allows Denial of Service via escape-heavy quoted |
| jsrsasign | 11.0.0 | 11.1.1 | GHSA-8g7p-jf3g-gxcp | jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or neg |
| jsrsasign | 11.0.0 | 11.1.1 | GHSA-8qwj-4jxw-m8jw | jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass |
| jsrsasign | 11.0.0 | 11.1.1 | GHSA-w8q8-93cx-6h7r | jsrsasign: Missing cryptographic validation during DSA signing enables private k |
| jsrsasign | 11.0.0 | 11.1.1 | GHSA-wvqx-v3f6-w8rh | jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-par |
🟡 MEDIUM Severity (9)
| Package | Version | Fixed | ID | Summary |
|---|---|---|---|---|
| rack | 3.2.5 | 2.2.23 | GHSA-7mqq-6cf9-v2qp | Rack has a root directory disclosure via unescaped regex interpolation in Rack:: |
| rack | 3.2.5 | 3.1.21 | GHSA-g2pf-xv49-m2h5 | Rack::Request accepts invalid Host characters, enabling host allowlist bypass |
| rack | 3.2.5 | 2.2.23 | GHSA-q2ww-5357-x388 | Rack has Content-Length mismatch in Rack::Files error responses |
| rack | 3.2.5 | 2.2.23 | GHSA-q4qf-9j86-f5mh | Rack:: Static header_rules bypass via URL-encoded paths |
| rack | 3.2.5 | 3.1.21 | GHSA-qfgr-crr9-7r49 | Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing |
| rack | 3.2.5 | 2.2.23 | GHSA-qv7j-4883-hwh7 | Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized |
| rack | 3.2.5 | 3.2.6 | GHSA-rx22-g9mx-qrhv | Rack's improper unfolding of folded multipart headers preserves CRLF in parsed p |
| rack | 3.2.5 | 2.2.23 | GHSA-v569-hp3g-36wr | Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard A |
| rack | 3.2.5 | 2.2.23 | GHSA-x8cg-fq8g-mxfx | Rack's multipart byte range processing allows denial of service via excessive ov |
🔵 LOW Severity (2)
| Package | Version | Fixed | ID | Summary |
|---|---|---|---|---|
| rack | 3.2.5 | 2.2.23 | GHSA-vgpv-f759-9wx3 | Rack's greedy multipart boundary parsing can cause parser differentials and WAF |
| jsrsasign | 11.0.0 | 11.1.1 | GHSA-464q-cqxq-xhgr | jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Ze |
📊 Overall Security Score
Total Issues Found: 783
🔴 Attention Required - Multiple security issues found.
📋 Next Steps
- Review the detailed scanner results in the collapsible sections above
- Download and review security reports from workflow artifacts
- Address any critical or high-severity findings
- Consider enabling automated dependency updates
Last updated: 4/9/2026, 8:13:54 PM | Commit: f63a1a2 | View Run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.8Related issue(s)
Testing done
Screenshots
N/A - CI/CD workflow addition. See Security Scan Summary comment for scan output.
What areas of the site does it impact?
This adds a new GitHub Actions workflow for security scanning. It does not impact any application code or site functionality.
Acceptance criteria
Requested Feedback