diff --git a/.devcontainer/post-attach.sh b/.devcontainer/post-attach.sh index 1fda8ec..2ccb308 100644 --- a/.devcontainer/post-attach.sh +++ b/.devcontainer/post-attach.sh @@ -7,8 +7,8 @@ if [ -v CODESPACES ]; then if [ ! -v AI_API_TOKEN ]; then echo "⚠️ Running in Codespaces - please add AI_API_TOKEN to your Codespaces secrets" fi - if [ ! -v GITHUB_PERSONAL_ACCESS_TOKEN ]; then - echo "⚠️ Running in Codespaces - please add GITHUB_PERSONAL_ACCESS_TOKEN to your Codespaces secrets" + if [ ! -v GH_TOKEN ]; then + echo "⚠️ Running in Codespaces - please add GH_TOKEN to your Codespaces secrets" fi fi diff --git a/src/run_seclab_agent.sh b/src/run_seclab_agent.sh index 6cbc0de..276a930 100755 --- a/src/run_seclab_agent.sh +++ b/src/run_seclab_agent.sh @@ -10,4 +10,4 @@ mkdir -p data docker run -i \ --mount type=bind,src="$PWD",dst=/app \ - -e GITHUB_PERSONAL_ACCESS_TOKEN="$GITHUB_PERSONAL_ACCESS_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" "ghcr.io/githubsecuritylab/seclab-taskflow-agent" "$@" + -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" "ghcr.io/githubsecuritylab/seclab-taskflow-agent" "$@" diff --git a/src/seclab_taskflows/mcp_servers/codeql_python/README.md b/src/seclab_taskflows/mcp_servers/codeql_python/README.md index d8c0f4a..5b4d37c 100644 --- a/src/seclab_taskflows/mcp_servers/codeql_python/README.md +++ b/src/seclab_taskflows/mcp_servers/codeql_python/README.md @@ -23,7 +23,7 @@ CODEQL_DBS_BASE_PATH="/workspaces/seclab-taskflows/data/codeql_databases" # path # Example values for a local setup, run with `python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.remote_sources_local` MEMCACHE_STATE_DIR="/workspaces/seclab-taskflows/data" # path to folder for storing the memcache database DATA_DIR="/workspaces/seclab-taskflows/data" # path to folder for storing the codeql_sqlite databases and all other data -GITHUB_PERSONAL_ACCESS_TOKEN= # can be the same token as COPILOT_TOKEN. Or another one, with access e.g. to private repositories +GH_TOKEN= # can be the same token as COPILOT_TOKEN. Or another one, with access e.g. to private repositories CODEQL_CLI= # output of command `find ~ -type f -name codeql -executable 2>/dev/null` # Example docker env run with ./run_seclab_agent.sh [...] diff --git a/src/seclab_taskflows/mcp_servers/gh_actions.py b/src/seclab_taskflows/mcp_servers/gh_actions.py index 81dbaed..51f7451 100644 --- a/src/seclab_taskflows/mcp_servers/gh_actions.py +++ b/src/seclab_taskflows/mcp_servers/gh_actions.py @@ -45,7 +45,7 @@ def __repr__(self): unimportant_triggers = set(['pull_request', 'workflow_dispatch']) -GITHUB_PERSONAL_ACCESS_TOKEN = os.getenv('GITHUB_PERSONAL_ACCESS_TOKEN', default='') +GH_TOKEN = os.getenv('GH_TOKEN', default='') ACTIONS_DB_DIR = mcp_data_dir('seclab-taskflows', 'gh_actions', 'ACTIONS_DB_DIR') @@ -56,7 +56,7 @@ def __repr__(self): async def call_api(url: str, params: dict, raw = False) -> str: """Call the GitHub code scanning API to fetch alert.""" headers = {"Accept": "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {GITHUB_PERSONAL_ACCESS_TOKEN}"} + "Authorization": f"Bearer {GH_TOKEN}"} if raw: headers["Accept"] = "application/vnd.github.raw+json" async def _fetch(url, headers, params): diff --git a/src/seclab_taskflows/mcp_servers/gh_code_scanning.py b/src/seclab_taskflows/mcp_servers/gh_code_scanning.py index 52a47d6..bbdff6f 100644 --- a/src/seclab_taskflows/mcp_servers/gh_code_scanning.py +++ b/src/seclab_taskflows/mcp_servers/gh_code_scanning.py @@ -27,7 +27,7 @@ mcp = FastMCP("GitHubCodeScanning") -GITHUB_PERSONAL_ACCESS_TOKEN = os.getenv('GITHUB_PERSONAL_ACCESS_TOKEN', default='') +GH_TOKEN = os.getenv('GH_TOKEN', default='') CODEQL_DBS_BASE_PATH = mcp_data_dir('seclab-taskflows', 'codeql', 'CODEQL_DBS_BASE_PATH') ALERT_RESULTS_DIR = mcp_data_dir('seclab-taskflows', 'gh_code_scanning', 'ALERT_RESULTS_DIR') @@ -72,7 +72,7 @@ def _get_repo_from_html_url(html_url: str) -> str: async def call_api(url: str, params: dict) -> str | httpx.Response: """Call the GitHub code scanning API to fetch alert.""" headers = {"Accept": "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {GITHUB_PERSONAL_ACCESS_TOKEN}"} + "Authorization": f"Bearer {GH_TOKEN}"} async def _fetch_alerts(url, headers, params): try: async with httpx.AsyncClient(headers = headers) as client: @@ -182,7 +182,7 @@ async def _fetch_codeql_databases(owner: str, repo: str, language: str): """Fetch the CodeQL databases for a given repo and language.""" url = f"https://api.github.com/repos/{owner}/{repo}/code-scanning/codeql/databases/{language}" headers = {"Accept": "application/zip,application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {os.getenv('GITHUB_PERSONAL_ACCESS_TOKEN')}"} + "Authorization": f"Bearer {os.getenv('GH_TOKEN')}"} try: async with httpx.AsyncClient() as client: async with client.stream('GET', url, headers =headers, follow_redirects=True) as response: @@ -238,7 +238,7 @@ async def dismiss_alert( headers = { "Accept": "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {GITHUB_PERSONAL_ACCESS_TOKEN}" + "Authorization": f"Bearer {GH_TOKEN}" } async with httpx.AsyncClient(headers=headers) as client: diff --git a/src/seclab_taskflows/mcp_servers/gh_file_viewer.py b/src/seclab_taskflows/mcp_servers/gh_file_viewer.py index 446a654..f138a43 100644 --- a/src/seclab_taskflows/mcp_servers/gh_file_viewer.py +++ b/src/seclab_taskflows/mcp_servers/gh_file_viewer.py @@ -43,7 +43,7 @@ def __repr__(self): mcp = FastMCP("GitHubFileViewer") -GITHUB_PERSONAL_ACCESS_TOKEN = os.getenv('GITHUB_PERSONAL_ACCESS_TOKEN', default='') +GH_TOKEN = os.getenv('GH_TOKEN', default='') SEARCH_RESULT_DIR = mcp_data_dir('seclab-taskflows', 'gh_file_viewer', 'SEARCH_RESULTS_DIR') @@ -54,7 +54,7 @@ def __repr__(self): async def call_api(url: str, params: dict) -> str: """Call the GitHub code scanning API to fetch alert.""" headers = {"Accept": "application/vnd.github.raw+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {GITHUB_PERSONAL_ACCESS_TOKEN}"} + "Authorization": f"Bearer {GH_TOKEN}"} async def _fetch_file(url, headers, params): try: async with httpx.AsyncClient(headers = headers) as client: @@ -79,7 +79,7 @@ async def _fetch_source_zip(owner: str, repo: str, tmp_dir): """Fetch the source code.""" url = f"https://api.github.com/repos/{owner}/{repo}/zipball" headers = {"Accept": "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {GITHUB_PERSONAL_ACCESS_TOKEN}"} + "Authorization": f"Bearer {GH_TOKEN}"} try: async with httpx.AsyncClient() as client: async with client.stream('GET', url, headers =headers, follow_redirects=True) as response: diff --git a/src/seclab_taskflows/mcp_servers/local_gh_resources.py b/src/seclab_taskflows/mcp_servers/local_gh_resources.py index cc23134..6c3b17c 100644 --- a/src/seclab_taskflows/mcp_servers/local_gh_resources.py +++ b/src/seclab_taskflows/mcp_servers/local_gh_resources.py @@ -22,7 +22,7 @@ mcp = FastMCP("LocalGHResources") -GITHUB_PERSONAL_ACCESS_TOKEN = os.getenv('GITHUB_PERSONAL_ACCESS_TOKEN') +GH_TOKEN = os.getenv('GH_TOKEN') LOCAL_GH_DIR = mcp_data_dir('seclab-taskflows', 'local_gh_resources', 'LOCAL_GH_DIR') @@ -45,7 +45,7 @@ def sanitize_file_path(file_path, allow_paths): async def call_api(url: str, params: dict) -> str: """Call the GitHub code scanning API to fetch alert.""" headers = {"Accept": "application/vnd.github.raw+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {GITHUB_PERSONAL_ACCESS_TOKEN}"} + "Authorization": f"Bearer {GH_TOKEN}"} async def _fetch_file(url, headers, params): try: async with httpx.AsyncClient(headers = headers) as client: @@ -67,7 +67,7 @@ async def _fetch_source_zip(owner: str, repo: str, tmp_dir): """Fetch the source code.""" url = f"https://api.github.com/repos/{owner}/{repo}/zipball" headers = {"Accept": "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28", - "Authorization": f"Bearer {GITHUB_PERSONAL_ACCESS_TOKEN}"} + "Authorization": f"Bearer {GH_TOKEN}"} try: async with httpx.AsyncClient() as client: async with client.stream('GET', url, headers =headers, follow_redirects=True) as response: diff --git a/src/seclab_taskflows/toolboxes/gh_actions.yaml b/src/seclab_taskflows/toolboxes/gh_actions.yaml index dbde4ac..378f44e 100644 --- a/src/seclab_taskflows/toolboxes/gh_actions.yaml +++ b/src/seclab_taskflows/toolboxes/gh_actions.yaml @@ -10,5 +10,5 @@ server_params: command: python args: ["-m", "seclab_taskflows.mcp_servers.gh_actions"] env: - GITHUB_PERSONAL_ACCESS_TOKEN: "{{ env GITHUB_PERSONAL_ACCESS_TOKEN }}" + GH_TOKEN: "{{ env GH_TOKEN }}" ACTIONS_DB_DIR: "{{ env DATA_DIR }}" diff --git a/src/seclab_taskflows/toolboxes/gh_code_scanning.yaml b/src/seclab_taskflows/toolboxes/gh_code_scanning.yaml index 155d429..3646111 100644 --- a/src/seclab_taskflows/toolboxes/gh_code_scanning.yaml +++ b/src/seclab_taskflows/toolboxes/gh_code_scanning.yaml @@ -10,6 +10,6 @@ server_params: command: python args: ["-m", "seclab_taskflows.mcp_servers.gh_code_scanning"] env: - GITHUB_PERSONAL_ACCESS_TOKEN: "{{ env GITHUB_PERSONAL_ACCESS_TOKEN }}" + GH_TOKEN: "{{ env GH_TOKEN }}" CODEQL_DBS_BASE_PATH: "{{ env CODEQL_DBS_BASE_PATH }}" ALERT_RESULTS_DIR: "{{ env DATA_DIR }}" diff --git a/src/seclab_taskflows/toolboxes/gh_file_viewer.yaml b/src/seclab_taskflows/toolboxes/gh_file_viewer.yaml index 1a5a89e..172dd26 100644 --- a/src/seclab_taskflows/toolboxes/gh_file_viewer.yaml +++ b/src/seclab_taskflows/toolboxes/gh_file_viewer.yaml @@ -10,5 +10,5 @@ server_params: command: python args: ["-m", "seclab_taskflows.mcp_servers.gh_file_viewer"] env: - GITHUB_PERSONAL_ACCESS_TOKEN: "{{ env GITHUB_PERSONAL_ACCESS_TOKEN }}" + GH_TOKEN: "{{ env GH_TOKEN }}" SEARCH_RESULTS_DIR: "{{ env DATA_DIR }}" diff --git a/src/seclab_taskflows/toolboxes/ghsa.yaml b/src/seclab_taskflows/toolboxes/ghsa.yaml index ec6adf9..89b4fba 100644 --- a/src/seclab_taskflows/toolboxes/ghsa.yaml +++ b/src/seclab_taskflows/toolboxes/ghsa.yaml @@ -10,4 +10,4 @@ server_params: command: python args: ["-m", "seclab_taskflows.mcp_servers.ghsa"] env: - GITHUB_PERSONAL_ACCESS_TOKEN: "{{ env GITHUB_PERSONAL_ACCESS_TOKEN }}" + GH_TOKEN: "{{ env GH_TOKEN }}" diff --git a/src/seclab_taskflows/toolboxes/local_gh_resources.yaml b/src/seclab_taskflows/toolboxes/local_gh_resources.yaml index e41399a..551c10e 100644 --- a/src/seclab_taskflows/toolboxes/local_gh_resources.yaml +++ b/src/seclab_taskflows/toolboxes/local_gh_resources.yaml @@ -10,5 +10,5 @@ server_params: command: python args: ["-m", "seclab_taskflows.mcp_servers.local_gh_resources"] env: - GITHUB_PERSONAL_ACCESS_TOKEN: "{{ env GITHUB_PERSONAL_ACCESS_TOKEN }}" + GH_TOKEN: "{{ env GH_TOKEN }}" LOCAL_GH_DIR: "{{ env DATA_DIR }}"