Skip to content

feat: V2 - Multi language support#47

Merged
witmicko merged 18 commits intomainfrom
v2
Oct 30, 2025
Merged

feat: V2 - Multi language support#47
witmicko merged 18 commits intomainfrom
v2

Conversation

@witmicko
Copy link
Contributor

@witmicko witmicko commented Oct 29, 2025
edited by cursor bot
Loading

What

Why

  • Split scanner into separate repositories was gettung cumbersome to work with and update and carried extra cognitive load.
  • We are seeing more non js repositories within our orgs and need to enable security scanner on those too

Note

Consolidates security scanning into a monorepo with a reusable workflow, automatic language detection, and dedicated CodeQL and Semgrep actions running per detected language.

  • Workflow/Orchestration:
    • New reusable workflow /.github/workflows/security-scan.yml orchestrates scans, auto-detects languages, builds a matrix, runs CodeQL per language, and Semgrep once, then posts results/notifications.
    • Adds /.github/workflows/test-semgrep.yml for validating and testing Semgrep rules.
    • Removes legacy /.github/workflows/security-code-scanner.yml and root action.yaml.
  • Language Detection:
    • New action packages/language-detector fetches repo languages via GitHub API, maps to scanner languages, merges workflow and repo configs, and outputs a scan matrix (with ignore support).
    • Includes unit/integration tests and CLI utilities.
  • CodeQL Action:
    • New packages/codeql-action with repo-config loader, input validation/sanitization, EJS-generated codeql config, optional build setup (e.g., Java), and SARIF upload.
    • Supports per-repo defaults (repo-configs/*), custom query suites, and outputs build parameters.
    • Includes Jest tests and docs.
  • Semgrep Action:
    • New packages/semgrep-action to run rules and upload SARIF; adds sample rules (e.g., npx usage) and tests/util scripts.
  • Docs/Tooling:
    • Overhauled README.md and package READMEs; changelog updated.
    • Monorepo scripts for validation/cleanup, shared Prettier config, updated .gitignore, .prettierignore, .nvmrc, and Yarn config.
    • Root package.json converted to workspaces with new scripts and deps.

Written by Cursor Bugbot for commit 93d3c8d. This will update automatically on new commits. Configure here.

witmicko and others added 10 commits October 24, 2025 14:54
@witmicko
refactor: start monorepo setup
abfac40
@witmicko
Merge branch 'main' into monorepo-initial-structure-migration
2687235
@witmicko
fix package check script
18be27c
@witmicko
migrate codeql-action into package
7f0b93c
@EllusionN
Merge pull request #41 from MetaMask/monorepo-initial-structure-migra…
bb34a87 
…tion

1. refactor: start monorepo setup
@EllusionN
Merge pull request #42 from MetaMask/monorepo-codeql-package
24dd8a6 
2. Monorepo codeql package
@witmicko
3. Monorepo language detector (#43)
dec4937 
* add language detector action

* lint

add semgrep action

* update jest
@witmicko @EllusionN
4. Add Semgrep action (#44)
6f2836e 
* add semgrep action

* update jest

* rebase on v2, codeowner and semgrep CI

* move sembrep test

* added security workflow, lint

* repoint to main

* gaa update semgrep rules

* fix repo name

* lint semgrep rules

* fix actionlint issues

* fix changelog lint

* move changelog entries under unreleased

---------

Co-authored-by: Nicholas Ellul <15018469+NicholasEllul@users.noreply.github.com>
@witmicko
downgrade version so the release action can work (#45)
61b67eb
@witmicko
update changelog, bump lavamoat
77f43e0
@witmicko witmicko requested a review from a team as a code owner October 29, 2025 15:17
@witmicko witmicko changed the title V2 V2 - Multi language support Oct 29, 2025
@socket-security
Copy link

socket-security bot commented Oct 29, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​lavamoat/​preinstall-always-fail@​2.1.0 ⏵ 2.1.1811004882100
Updatedyaml@​1.10.2 ⏵ 2.8.110010010081100
Updated@​metamask/​auto-changelog@​4.1.0 ⏵ 5.1.0100 +2100100 +1100 +13100
Updated@​lavamoat/​allow-scripts@​3.3.1 ⏵ 3.4.0100 +1100100100 +8100

View full report

@socket-security
Copy link

socket-security bot commented Oct 29, 2025
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

  • istanbul-lib-report@3.0.1
  • convert-source-map@2.0.0
  • @babel/plugin-syntax-import-meta@7.10.4
  • @babel/plugin-syntax-logical-assignment-operators@7.10.4
  • @babel/plugin-syntax-numeric-separator@7.10.4
  • ejs@3.1.10
  • jake@10.9.4
  • babel-plugin-istanbul@7.0.1
  • jest-haste-map@30.2.0
  • jest-worker@30.2.0
  • @babel/core@7.28.5
  • agent-base@7.1.3

View full report

cursor[bot]

This comment was marked as outdated.

Sign in to view

EllusionN
EllusionN reviewed Oct 29, 2025
View reviewed changes
cursor[bot]

This comment was marked as outdated.

Sign in to view

witmicko and others added 4 commits October 29, 2025 15:29
@witmicko @EllusionN
Update package.json
1408cae 
Co-authored-by: Nicholas Ellul <15018469+NicholasEllul@users.noreply.github.com>
@witmicko @EllusionN
Update package.json
2e80787 
Co-authored-by: Nicholas Ellul <15018469+NicholasEllul@users.noreply.github.com>
@witmicko @EllusionN
Update package.json
517c92e 
Co-authored-by: Nicholas Ellul <15018469+NicholasEllul@users.noreply.github.com>
@witmicko @EllusionN
Update CHANGELOG.md
e563cf9 
Co-authored-by: Nicholas Ellul <15018469+NicholasEllul@users.noreply.github.com>
EllusionN
EllusionN previously approved these changes Oct 29, 2025
View reviewed changes
Copy link
Contributor

@EllusionN EllusionN left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to move to the next step of testing

Ensure the socket.dev findings and tests are addressed before moving as well 👍

@EllusionN EllusionN changed the title V2 - Multi language support feat: V2 - Multi language support Oct 29, 2025
cursor[bot]

This comment was marked as outdated.

Sign in to view

@witmicko
Copy link
Contributor Author

witmicko commented Oct 29, 2025

@SocketSecurity ignore npm/babel-plugin-istanbul@7.0.1
@SocketSecurity ignore npm/jake@10.9.4
@SocketSecurity ignore npm/jest-haste-map@30.2.0
@SocketSecurity ignore npm/jest-worker@30.2.0
dev and build tools, ok

@SocketSecurity ignore npm/@babel/plugin-syntax-import-meta@7.10.4
@SocketSecurity ignore npm/@babel/plugin-syntax-logical-assignment-operators@7.10.4
@SocketSecurity ignore npm/@babel/plugin-syntax-numeric-separator@7.10.4
@SocketSecurity ignore npm/convert-source-map@2.0.0
@SocketSecurity ignore npm/istanbul-lib-report@3.0.1
@SocketSecurity ignore npm/@babel/core@7.28.5
@SocketSecurity ignore npm/ejs@3.1.10
@SocketSecurity ignore npm/function-bind@1.1.2
@SocketSecurity ignore npm/istanbul-lib-report@3.0.1
@SocketSecurity ignore npm/jake@10.9.4

cursor[bot]

This comment was marked as outdated.

Sign in to view

@witmicko
Copy link
Contributor Author

witmicko commented Oct 29, 2025

@SocketSecurity ignore npm/agent-base@7.1.3

EllusionN
EllusionN previously approved these changes Oct 29, 2025
View reviewed changes
@witmicko witmicko merged commit e70da32 into main Oct 30, 2025
13 checks passed
@witmicko witmicko deleted the v2 branch October 30, 2025 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@EllusionN EllusionN EllusionN approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@witmicko @EllusionN