fix(action): rewrite GitHub Action as composite with pip installation #465
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Replace Docker-based action with faster composite action - Use `pip install codepathfinder` for automatic binary installation - Fix incorrect `--ruleset` flag to proper `--rules` flag - Use `scan` command instead of deprecated `ci` command interface - Add support for `fail-on`, `verbose`, `skip-tests`, `python-version` options - Add `results-file` and `version` outputs for downstream steps - Add example workflow at `.github/workflows/example-security-scan.yml` - Add GitHub Action documentation to README.md - Bump version to 1.1.7
shivasurya
added
the
github_actions
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #465 +/- ##
=======================================
Coverage 80.24% 80.24%
=======================================
Files 99 99
Lines 10953 10953
=======================================
Hits 8789 8789
Misses 1813 1813
Partials 351 351 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
## Action Updates (action.yml) - Add new `ruleset` input parameter for remote rulesets - Make `rules` input optional (either rules or ruleset required) - Update description: "Python DSL" → "Python SDK" - Add validation to ensure at least one rule source is provided - Support comma-separated multiple rulesets - Properly handle both --rules and --ruleset flags ## Example Workflow Updates - Replace single example with 3 comprehensive examples: 1. Python security scan with multiple rulesets 2. Docker security scan with security + best-practice rules 3. Custom local rules scan - Update python-dsl references to python-sdk - Show practical usage of remote rulesets ## README Documentation - Update GitHub Action section with remote ruleset examples - Add "Available Remote Rulesets" section listing: - Python: deserialization, django, flask - Docker: security, best-practice, performance - Show multiple usage patterns (remote, local, docker) - Update inputs table with new ruleset parameter - Update "Python DSL" to "Python SDK" throughout ## Why This Matters Enables users to leverage the new remote ruleset infrastructure introduced in v1.2.0, making security scanning zero-config with pre-built rules from codepathfinder.dev/registry. Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Owner
Author
Added Remote Ruleset SupportI've added support for the new remote ruleset feature to the GitHub Action: Changes in this commit:action.yml:
example-security-scan.yml:
README.md:
Example Usage:# Scan with remote Python rulesets
- uses: shivasurya/code-pathfinder@main
with:
ruleset: python/deserialization, python/django, python/flask
fail-on: critical,high
# Scan with remote Docker rulesets
- uses: shivasurya/code-pathfinder@main
with:
ruleset: docker/security, docker/best-practice
# Use local rules (backward compatible)
- uses: shivasurya/code-pathfinder@main
with:
rules: python-sdk/examples/owasp_top10.pyThis enables users to leverage the new remote ruleset infrastructure from v1.2.0 🚀 |
The example workflow was using @main which pulled the old Docker-based action that doesn't support --ruleset flag. Updated to use './' to test the new composite action from the current branch. This fixes all three failing checks: - python-scan (ruleset support) - docker-scan (ruleset support) - custom-rules-scan (rules parameter support)
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
The scans are working correctly but failing due to --fail-on flag. Removing it from test workflow to verify the action executes properly. The fail-on feature can still be demonstrated in documentation.
The scan command expects JSON IR rules, not raw Python DSL files. Changed the custom-rules-scan example to use a remote ruleset to demonstrate verbose mode and custom output file naming.
- Update all workflows from actions/checkout@v4 to v6 (latest release) - Update README.md examples to use v6 - Consolidate three separate scan jobs into single security-scan job - Demonstrate multiple rulesets in one scan (Python + Docker) - Use YAML multiline string syntax for better readability This showcases that ruleset parameter supports multiple comma-separated values, eliminating the need for separate jobs per language/framework.
Added new inputs to GitHub Action: - refresh-rules: Force refresh of cached rulesets - debug: Enable debug diagnostics with timestamps - disable-metrics: Disable anonymous usage metrics Updated action.yml to handle these flags and pass them to the scan command. Updated README.md inputs table with new options and better descriptions. All pathfinder scan command options are now fully exposed through the action.
Implemented defense-in-depth against command injection vulnerabilities:
1. Input Validation
- Validate all user inputs for dangerous shell metacharacters
- Block: ; | & $ ` and newlines
- Fail fast with clear error messages
2. Array-Based Argument Construction
- Use bash arrays instead of string concatenation
- Proper quoting with "${ARGS[@]}" prevents word splitting
- Eliminates unquoted variable expansion attacks
3. Safe Shell Options
- set -euo pipefail for fail-fast behavior
- Exit on errors and undefined variables
4. No Code Evaluation
- Never uses eval, source, or indirect expansion
- Static command structure only
Updated SECURITY.md with GitHub Action security documentation,
including example blocked attacks and best practices.
This prevents CVE-class vulnerabilities from user-controlled inputs.
- Update github/codeql-action/upload-sarif@v3 to @v4 - Fixes deprecation warning (v3 deprecated December 2026) - Updated in both example workflow and README.md documentation Ref: https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
pip install codepathfinderfor automatic binary installation--rulesetflag to proper--rulesflagscancommand instead of deprecatedcicommand interfacefail-on,verbose,skip-tests,python-versionoptionsresults-fileandversionoutputs for downstream steps.github/workflows/example-security-scan.ymlChecklist:
gradle testGo)?golangci-lint runthis requires golangci-lint)?