[APPSEC-1645] [Non-Prod] Add Socket Security Tier 1 reachability scan #105
+81
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| # Socket Security Scan with Tier 1 Reachability Analysis | ||
| # | ||
| # This workflow scans dependencies and performs reachability analysis | ||
| # to identify which vulnerabilities are actually reachable in the code. | ||
| # | ||
| # Required: SOCKET_SECURITY_API_KEY secret with enterprise plan | ||
| # API token scopes needed: socket-basics, uploaded-artifacts, full-scans, repo | ||
|
|
||
| name: Socket Security Scan | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: "0 2 * * *" # Everyday at 2 AM UTC | ||
| workflow_dispatch: | ||
| inputs: | ||
| enable_reachability: | ||
| description: "Enable Tier 1 reachability analysis" | ||
| required: false | ||
| default: "true" | ||
| type: choice | ||
| options: | ||
| - "true" | ||
| - "false" | ||
|
|
||
| concurrency: | ||
| group: socket-security-scan | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| socket-security: | ||
| name: Socket Security Scan | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 120 | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Setup Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.12" | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
|
|
||
| - name: Install uv (Python package manager) | ||
| uses: astral-sh/setup-uv@v4 | ||
|
|
||
| - name: Install Socket CLI | ||
| run: uv pip install socketsecurity --upgrade --system | ||
|
|
||
| - name: Run Socket Security Scan | ||
| env: | ||
| SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} | ||
| SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_KEY }} | ||
|
Collaborator
There was a problem hiding this comment. I don't have context on this PR, but at a glance this seems redundant to have |
||
| PYTHONUNBUFFERED: "1" | ||
| ENABLE_REACH: ${{ github.event.inputs.enable_reachability }} | ||
| run: | | ||
| REPO_NAME="${GITHUB_REPOSITORY#*/}" | ||
|
|
||
| # Build reachability flags if enabled | ||
| REACH_FLAGS="" | ||
| if [[ "${ENABLE_REACH}" != "false" ]]; then | ||
| REACH_FLAGS="--reach --reach-memory-limit 16384 --reach-timeout 3600" | ||
| echo "Reachability analysis enabled" | ||
| fi | ||
|
|
||
| echo "Scanning repository: $REPO_NAME" | ||
|
|
||
| socketcli \ | ||
| --target-path "$GITHUB_WORKSPACE" \ | ||
| --repo "$REPO_NAME" \ | ||
| --enable-debug \ | ||
| $REACH_FLAGS | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semgrep identified an issue in your code:
The GitHub action
astral-sh/setup-uv@v4uses a mutable version tag that could be rewritten by an attacker to inject malicious code into your workflow.More details about this
The
astral-sh/setup-uv@v4action is pinned to a version tag instead of a full commit SHA. Version tags in GitHub are mutable—a maintainer can move or re-tag a release at any time. An attacker who compromises theastral-sh/setup-uvrepository could overwrite thev4tag to point to malicious code.Exploit scenario:
astral-sh/setup-uvrepository and gains push accessv4taguses: astral-sh/setup-uv@v4secrets.SOCKET_SECURITY_API_KEYand your repository codePinning to a specific commit SHA (e.g.,
@a1b2c3d4e5f6...) creates an immutable reference that cannot be altered after commit creation, even if the tag is rewritten.To resolve this comment:
✨ Commit Assistant fix suggestion
View step-by-step instructions
uses: astral-sh/setup-uv@v4with a full 40-character commit SHA from the official setup-uv repository. For example:uses: astral-sh/setup-uv@ed597411d8f924073f98dfc5c65a23a2325f34cd# Pinned to v4 for security; see https://github.com/astral-sh/setup-uv/tagsPinning to a commit SHA makes the workflow more secure and prevents unexpected changes if the upstream action is updated.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasonsAlternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.
You can view more details about this finding in the Semgrep AppSec Platform.