Merge branch 'main' into onboarding-automation

Author: witmicko

.github/workflows/main.yml

@@ -62,19 +62,15 @@ jobs:
           fi
 
   is-release:
-    # Filtering by `push` events ensures that we only release from the `main` branch, which is a
-    # requirement for our npm publishing environment.
-    # The commit author should always be 'github-actions' for releases created by the
-    # 'create-release-pr' workflow, so we filter by that as well to prevent accidentally
-    # triggering a release.
-    if: github.event_name == 'push' && startsWith(github.event.head_commit.author.name, 'github-actions')
+    name: Determine whether this is a release merge commit
     needs: all-jobs-pass
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
     outputs:
       IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
-    runs-on: ubuntu-latest
     steps:
-      - uses: MetaMask/action-is-release@v1
-        id: is-release
+      - id: is-release
+        uses: MetaMask/action-is-release@v2
 
   publish-release:
     needs: is-release

CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.0.5]
+
+### Added
+
+- feat: add rule to catch npx usage in JS/TS/YAML
+
+### Fixed
+
+- fix: add .security-scanner directory to ignored paths
+
 ## [2.0.4]
 
 ### Changed
@@ -62,7 +72,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Initial release of this action ([#29](https://github.com/MetaMask/action-security-code-scanner/pull/29))
 
-[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.4...HEAD
+[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.5...HEAD
+[2.0.5]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.4...v2.0.5
 [2.0.4]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.3...v2.0.4
 [2.0.3]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.2...v2.0.3
 [2.0.2]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.1...v2.0.2

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metamask/action-security-code-scanner",
-  "version": "2.0.4",
+  "version": "2.0.5",
   "private": true,
   "description": "Security Code Scanner",
   "repository": {

packages/codeql-action/CHANGELOG.md

@@ -7,14 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [2.0.3]
+## [2.0.5]
 
 ### Fixed
 
-- Fix incorrect language selection based on repo config ([#63](https://github.com/MetaMask/action-security-code-scanner/pull/63))
+- fix: add .security-scanner directory to paths-ignore in CodeQL config
+
+## [2.0.3]
 
 ### Fixed
 
+- Fix incorrect language selection based on repo config ([#63](https://github.com/MetaMask/action-security-code-scanner/pull/63))
 - Fixed Codeql configuration build
 
 ## [2.0.1]
@@ -32,7 +35,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added multi language support
 - Updated CodeQL action to v4
 
-[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.3...HEAD
+[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.5...HEAD
+[2.0.5]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.3...v2.0.5
 [2.0.3]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.1...v2.0.3
 [2.0.1]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.0...v2.0.1
 [2.0.0]: https://github.com/MetaMask/action-security-code-scanner/releases/tag/v2.0.0

packages/codeql-action/config/codeql-template.yml

@@ -1,6 +1,7 @@
 name: "Security Code Scanner CodeQL Config"
 
 paths-ignore:
+  - ".security-scanner/"
 <% pathsIgnored.forEach(function(path) { -%>
   - "<%- path %>"
 <% }); -%>

packages/codeql-action/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metamask/codeql-action",
-  "version": "2.0.3",
+  "version": "2.0.5",
   "private": true,
   "description": "Custom CodeQL analysis action",
   "keywords": [],

packages/semgrep-action/CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.0.5]
+
+### Fixed
+
+- refactor: simplify Semgrep action by removing unnecessary file copy step
+- fix: update .semgrepignore to include .security-scanner directory
+
+### Added
+
+- feat: add rule to catch npx usage in JS/TS/YAML
+
 ## [2.0.2]
 
 ## [2.0.1]
@@ -22,7 +33,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Migrated action from its separate repository to the monorepo
 
-[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.2...HEAD
+[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.5...HEAD
+[2.0.5]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.2...v2.0.5
 [2.0.2]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.1...v2.0.2
 [2.0.1]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.0...v2.0.1
 [2.0.0]: https://github.com/MetaMask/action-security-code-scanner/releases/tag/v2.0.0

packages/semgrep-action/action.yml

@@ -10,28 +10,21 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Copy Semgrep Action Files to Workspace Root
-      run: |
-        echo "Copying Semgrep action files to workspace root for flat structure..."
-        cp -r ${{ github.action_path }}/rules ${{ github.workspace }}/
-        echo "Files copied. Semgrep rules structure:"
-        ls -la ${{ github.workspace }}/rules/
-      shell: bash
-
     - name: Install Semgrep
       run: |
         pip install semgrep
       shell: bash
 
     - name: Generate .semgrepignore
       run: |
-        echo "${{ inputs.paths_ignored }}" > .semgrepignore
+        echo ".security-scanner/" > .semgrepignore
+        echo "${{ inputs.paths_ignored }}" >> .semgrepignore
         cat .semgrepignore
       shell: bash
 
     - name: Run Semgrep Scan
       run: |
-        semgrep --config ./rules/src --output semgrep-results.sarif --sarif --verbose
+        semgrep --config ${{ github.action_path }}/rules/src --output semgrep-results.sarif --sarif --verbose
       shell: bash
       continue-on-error: true
 

packages/semgrep-action/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metamask/semgrep-action",
-  "version": "2.0.2",
+  "version": "2.0.5",
   "private": true,
   "description": "Semgrep-based security scanning action",
   "keywords": [

packages/semgrep-action/rules/src/generic/npx-usage/npx-usage-js.yml

@@ -0,0 +1,43 @@
+rules:
+  - id: npx-usage-js
+    languages:
+      - javascript
+      - typescript
+    severity: WARNING
+    metadata:
+      tags: [security]
+      shortDescription: 'npx usage introduces supply chain security risks'
+      confidence: HIGH
+      help: |
+        Using npx to install and run packages introduces significant supply chain security risks for the following reasons:
+
+        1. **Unpinned by default**: Running `npx <package>` fetches the latest release outside of your lockfile. If a malicious version of a package is published ([example])(https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack), `npx` will install and execute it the next time it is run.
+
+        2. **Bypasses lockfile guarantees**: Packages executed with npx are not added to your project's package.json or lockfile. As a result, their versions and lockfile integrity hashes are not captured for reproducibility, making builds non-deterministic and harder to audit
+
+        ### Recommended practice
+        - Add packages as dependencies or devDependencies in `package.json`.
+        - Use your package manager to install and execute them (e.g., `yarn add <package> [--dev]` followed by `yarn <package> <command>`).
+
+        **Bad example (using npx):**
+        ```javascript
+        const cmd = `npx jest --coverage`;
+        execSync(cmd);
+        ```
+
+        **Good example (proper dependency):**
+        ```javascript
+        // Add jest as a dependency /devDependency in package.json
+        const cmd = `yarn jest --coverage`;
+        execSync(cmd);
+        ```
+
+    message: >-
+      Avoid using 'npx' to run packages due to supply chain security risks. Instead, install the package
+      as a dependency / devDependency and invoke it using your package manager to ensure version pinning
+      and reproducibility.
+    patterns:
+      - pattern: '$STRING'
+      - metavariable-regex:
+          metavariable: $STRING
+          regex: '.*\bnpx\s'