mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-06 10:47:12 +08:00
c77a6e3faa
Adds two supply-chain controls that complement our existing pinning strategy (full-SHA action pins, exact-version source dep pins via uv.lock / package-lock.json) without undermining it. .github/workflows/osv-scanner.yml Detection-only scan of uv.lock and the ui-tui/website package-locks against the OSV vulnerability database. Runs on PRs that touch lockfiles, on push to main, and weekly against main so CVEs published after merge still surface. Uses Google's officially- recommended reusable workflow pinned by full SHA (v2.3.5). Findings upload to the Security tab; fail-on-vuln is disabled so pre-existing vulns in pinned deps do not block merges — we move pins deliberately, not under CI pressure. .github/dependabot.yml Scoped to github-actions only. Action pins must be moved when upstream publishes patches (often themselves security fixes); Dependabot opens a PR with the new SHA + release notes for normal review. Source-dependency ecosystems (pip, npm) are deliberately NOT enabled — automatic version-bump PRs against uv.lock / package-lock.json would fight our pinning strategy. CVE-driven security updates for source deps are enabled separately via the repo's Dependabot security updates setting (GitHub UI), which fires only when a pinned version becomes known-vulnerable.
68 lines
2.3 KiB
YAML
68 lines
2.3 KiB
YAML
name: OSV-Scanner
|
|
|
|
# Scans lockfiles (uv.lock, package-lock.json) against the OSV vulnerability
|
|
# database. Runs on every PR that touches a lockfile and on a weekly schedule
|
|
# against main.
|
|
#
|
|
# This is detection-only — OSV-Scanner does NOT open PRs or modify pins.
|
|
# It reports known CVEs in currently-pinned dependency versions so we can
|
|
# decide when and how to patch on our own schedule. Our pinning strategy
|
|
# (full SHA / exact version) is preserved; only the notification signal
|
|
# is added.
|
|
#
|
|
# Complements the existing supply-chain-audit.yml workflow (which scans
|
|
# for malicious code patterns in PR diffs) by covering the orthogonal
|
|
# "currently-pinned dep became known-vulnerable" case.
|
|
#
|
|
# Uses Google's officially-recommended reusable workflow, pinned by SHA.
|
|
# Findings land in the repo's Security tab (Code Scanning > OSV-Scanner).
|
|
# fail-on-vuln is disabled so the job does not block merges on pre-existing
|
|
# vulnerabilities in pinned deps that we may need to patch deliberately.
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- 'uv.lock'
|
|
- 'pyproject.toml'
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- 'ui-tui/package.json'
|
|
- 'ui-tui/package-lock.json'
|
|
- 'website/package.json'
|
|
- 'website/package-lock.json'
|
|
- '.github/workflows/osv-scanner.yml'
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'uv.lock'
|
|
- 'pyproject.toml'
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- 'ui-tui/package-lock.json'
|
|
- 'website/package-lock.json'
|
|
schedule:
|
|
# Weekly scan against main — catches CVEs published after merge for
|
|
# deps that haven't changed since.
|
|
- cron: '0 9 * * 1'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
# Required by the reusable workflow to upload SARIF to the Security tab.
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
scan:
|
|
name: Scan lockfiles
|
|
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5 # v2.3.5
|
|
with:
|
|
# Scan explicit lockfiles rather than recursing, so we only look at
|
|
# the three sources of truth and skip vendored / test / worktree dirs.
|
|
scan-args: |-
|
|
--lockfile=uv.lock
|
|
--lockfile=ui-tui/package-lock.json
|
|
--lockfile=website/package-lock.json
|
|
fail-on-vuln: false
|