feat(integrations): update sanitized inputs for github to read monorepo apps (#1929)

Marfuen · web-flow · commit 5912194a1bcd · 2025-12-16T15:17:45.000-05:00
diff --git a/apps/portal/package.json b/apps/portal/package.json
@@ -4,6 +4,7 @@
   "dependencies": {
     "@aws-sdk/client-s3": "^3.859.0",
     "@aws-sdk/s3-request-presigner": "^3.859.0",
+    "@hookform/resolvers": "^5.2.2",
     "@prisma/client": "^6.13.0",
     "@react-email/components": "^0.0.41",
     "@react-email/render": "^1.1.2",
@@ -27,7 +28,9 @@
     "react": "^19.2.3",
     "react-dom": "^19.2.3",
     "react-email": "^4.0.15",
-    "sonner": "^2.0.5"
+    "react-hook-form": "^7.68.0",
+    "sonner": "^2.0.5",
+    "zod": "3"
   },
   "devDependencies": {
     "@tailwindcss/postcss": "^4.1.10",
diff --git a/bun.lock b/bun.lock
@@ -306,6 +306,7 @@
       "dependencies": {
         "@aws-sdk/client-s3": "^3.859.0",
         "@aws-sdk/s3-request-presigner": "^3.859.0",
+        "@hookform/resolvers": "^5.2.2",
         "@prisma/client": "^6.13.0",
         "@react-email/components": "^0.0.41",
         "@react-email/render": "^1.1.2",
@@ -329,7 +330,9 @@
         "react": "^19.2.3",
         "react-dom": "^19.2.3",
         "react-email": "^4.0.15",
+        "react-hook-form": "^7.68.0",
         "sonner": "^2.0.5",
+        "zod": "3",
       },
       "devDependencies": {
         "@tailwindcss/postcss": "^4.1.10",
@@ -5816,6 +5819,8 @@
 
     "@comp/app/resend": ["resend@4.8.0", "", { "dependencies": { "@react-email/render": "1.1.2" } }, "sha512-R8eBOFQDO6dzRTDmaMEdpqrkmgSjPpVXt4nGfWsZdYOet0kqra0xgbvTES6HmCriZEXbmGk3e0DiGIaLFTFSHA=="],
 
+    "@comp/portal/zod": ["zod@3.25.76", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
+
     "@cspotcode/source-map-support/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.9", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.0.3", "@jridgewell/sourcemap-codec": "^1.4.10" } }, "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ=="],
 
     "@discordjs/rest/@discordjs/collection": ["@discordjs/collection@2.1.1", "", {}, "sha512-LiSusze9Tc7qF03sLCujF5iZp7K+vRNEDBZ86FT9aQAv3vxMLihUvKvpsCWiQ2DJq1tVckopKm1rxomgNUc9hg=="],
diff --git a/packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts b/packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts
@@ -3,22 +3,35 @@
  *
  * Ensures repositories use a modern validation/sanitization library
  * (Zod or Pydantic) and have automated static analysis (CodeQL) enabled.
+ * Supports monorepos by scanning all package.json/requirements.txt files.
  */
 
 import { TASK_TEMPLATES } from '../../../task-mappings';
 import type { IntegrationCheck } from '../../../types';
-import type { GitHubCodeScanningDefaultSetup, GitHubRepo } from '../types';
+import type {
+  GitHubCodeScanningDefaultSetup,
+  GitHubRepo,
+  GitHubTreeEntry,
+  GitHubTreeResponse,
+} from '../types';
 import { targetReposVariable } from '../variables';
 
 const JS_VALIDATION_PACKAGES = ['zod'];
 const PY_VALIDATION_PACKAGES = ['pydantic'];
 
+const TARGET_FILES = ['package.json', 'requirements.txt', 'pyproject.toml'];
+
 interface GitHubFileResponse {
   content: string;
   encoding: 'base64' | 'utf-8';
   path: string;
 }
 
+interface ValidationMatch {
+  library: string;
+  file: string;
+}
+
 const decodeFile = (file: GitHubFileResponse): string => {
   if (!file?.content) return '';
   if (file.encoding === 'base64') {
@@ -27,11 +40,16 @@ const decodeFile = (file: GitHubFileResponse): string => {
   return file.content;
 };
 
+const getFileName = (path: string): string => {
+  const parts = path.split('/');
+  return parts[parts.length - 1] ?? path;
+};
+
 export const sanitizedInputsCheck: IntegrationCheck = {
   id: 'sanitized_inputs',
   name: 'Sanitized Inputs & Code Scanning',
   description:
-    'Verifies repositories use Zod/Pydantic for input validation and have GitHub CodeQL scanning enabled.',
+    'Verifies repositories use Zod/Pydantic for input validation and have GitHub CodeQL scanning enabled. Scans entire repository including monorepo subdirectories.',
   taskMapping: TASK_TEMPLATES.sanitizedInputs,
   defaultSeverity: 'medium',
   variables: [targetReposVariable],
@@ -61,6 +79,21 @@ export const sanitizedInputsCheck: IntegrationCheck = {
       }
     };
 
+    const fetchRepoTree = async (repoName: string, branch: string): Promise<GitHubTreeEntry[]> => {
+      try {
+        const tree = await ctx.fetch<GitHubTreeResponse>(
+          `/repos/${repoName}/git/trees/${branch}?recursive=1`,
+        );
+        if (tree.truncated) {
+          ctx.warn(`Repository ${repoName} has too many files, tree was truncated`);
+        }
+        return tree.tree;
+      } catch (error) {
+        ctx.warn(`Failed to fetch tree for ${repoName}: ${String(error)}`);
+        return [];
+      }
+    };
+
     const fetchFile = async (repoName: string, path: string): Promise<string | null> => {
       try {
         const file = await ctx.fetch<GitHubFileResponse>(`/repos/${repoName}/contents/${path}`);
@@ -70,46 +103,61 @@ export const sanitizedInputsCheck: IntegrationCheck = {
       }
     };
 
-    const hasValidationLibrary = async (repoName: string) => {
-      // Check package.json for JS libraries
-      const packageJsonRaw = await fetchFile(repoName, 'package.json');
-      if (packageJsonRaw) {
-        try {
-          const pkg = JSON.parse(packageJsonRaw);
-          const deps = {
-            ...(pkg.dependencies || {}),
-            ...(pkg.devDependencies || {}),
-          };
-          for (const candidate of JS_VALIDATION_PACKAGES) {
-            if (deps[candidate]) {
-              return { found: true, library: candidate, file: 'package.json' };
-            }
+    const checkPackageJson = (content: string, filePath: string): ValidationMatch | null => {
+      try {
+        const pkg = JSON.parse(content);
+        const deps = {
+          ...(pkg.dependencies || {}),
+          ...(pkg.devDependencies || {}),
+        };
+        for (const candidate of JS_VALIDATION_PACKAGES) {
+          if (deps[candidate]) {
+            return { library: candidate, file: filePath };
           }
-        } catch {
-          ctx.warn(`Unable to parse package.json for ${repoName}`);
         }
+      } catch {
+        // Invalid JSON, skip
       }
+      return null;
+    };
 
-      // Check requirements.txt or pyproject.toml for Python libraries
-      const requirementsRaw = await fetchFile(repoName, 'requirements.txt');
-      if (requirementsRaw) {
-        const lower = requirementsRaw.toLowerCase();
-        const candidate = PY_VALIDATION_PACKAGES.find((pkg) => lower.includes(pkg));
-        if (candidate) {
-          return { found: true, library: candidate, file: 'requirements.txt' };
+    const checkPythonFile = (content: string, filePath: string): ValidationMatch | null => {
+      const lower = content.toLowerCase();
+      for (const candidate of PY_VALIDATION_PACKAGES) {
+        if (lower.includes(candidate)) {
+          return { library: candidate, file: filePath };
         }
       }
+      return null;
+    };
 
-      const pyprojectRaw = await fetchFile(repoName, 'pyproject.toml');
-      if (pyprojectRaw) {
-        const lower = pyprojectRaw.toLowerCase();
-        const candidate = PY_VALIDATION_PACKAGES.find((pkg) => lower.includes(pkg));
-        if (candidate) {
-          return { found: true, library: candidate, file: 'pyproject.toml' };
+    const findValidationLibraries = async (
+      repoName: string,
+      tree: GitHubTreeEntry[],
+    ): Promise<ValidationMatch[]> => {
+      const matches: ValidationMatch[] = [];
+
+      // Find all target files in the tree
+      const targetEntries = tree.filter(
+        (entry) => entry.type === 'blob' && TARGET_FILES.includes(getFileName(entry.path)),
+      );
+
+      for (const entry of targetEntries) {
+        const content = await fetchFile(repoName, entry.path);
+        if (!content) continue;
+
+        const fileName = getFileName(entry.path);
+
+        if (fileName === 'package.json') {
+          const match = checkPackageJson(content, entry.path);
+          if (match) matches.push(match);
+        } else if (fileName === 'requirements.txt' || fileName === 'pyproject.toml') {
+          const match = checkPythonFile(content, entry.path);
+          if (match) matches.push(match);
         }
       }
 
-      return { found: false };
+      return matches;
     };
 
     const isCodeScanningEnabled = async (repoName: string) => {
@@ -130,35 +178,40 @@ export const sanitizedInputsCheck: IntegrationCheck = {
       const repo = await fetchRepo(repoName);
       if (!repo) continue;
 
-      const validation = await hasValidationLibrary(repo.full_name);
+      // Fetch the full tree to find all package.json/requirements.txt files
+      const tree = await fetchRepoTree(repo.full_name, repo.default_branch);
+      const validationMatches = await findValidationLibraries(repo.full_name, tree);
       const codeScanning = await isCodeScanningEnabled(repo.full_name);
 
-      if (validation.found) {
+      if (validationMatches.length > 0) {
         ctx.pass({
           title: `Input validation enabled in ${repo.name}`,
-          description: `Detected ${validation.library} usage (${validation.file}).`,
+          description: `Found ${validationMatches.length} location(s) with validation libraries: ${validationMatches.map((m) => `${m.library} (${m.file})`).join(', ')}.`,
           resourceType: 'repository',
           resourceId: repo.full_name,
           evidence: {
             repository: repo.full_name,
-            library: validation.library,
-            file: validation.file,
+            matches: validationMatches,
             checkedAt: new Date().toISOString(),
           },
         });
       } else {
+        const checkedFiles = tree
+          .filter((e) => e.type === 'blob' && TARGET_FILES.includes(getFileName(e.path)))
+          .map((e) => e.path);
+
         ctx.fail({
           title: `No input validation library found in ${repo.name}`,
           description:
-            'Could not detect Zod or Pydantic. Implement input validation and sanitization using one of these libraries.',
+            'Could not detect Zod or Pydantic in any package.json, requirements.txt, or pyproject.toml. Implement input validation and sanitization using one of these libraries.',
           resourceType: 'repository',
           resourceId: repo.full_name,
           severity: 'medium',
           remediation:
             'Add Zod (JavaScript/TypeScript) or Pydantic (Python) to enforce schema validation on inbound data.',
           evidence: {
             repository: repo.full_name,
-            checkedFiles: ['package.json', 'requirements.txt', 'pyproject.toml'],
+            checkedFiles: checkedFiles.length > 0 ? checkedFiles : ['No dependency files found'],
           },
         });
       }
diff --git a/packages/integration-platform/src/manifests/github/types.ts b/packages/integration-platform/src/manifests/github/types.ts
@@ -75,3 +75,23 @@ export interface GitHubCodeScanningDefaultSetup {
   query_suite?: 'default' | 'extended';
   updated_at?: string;
 }
+
+/**
+ * Git tree response
+ * Returned by /repos/{owner}/{repo}/git/trees/{tree_sha}?recursive=1
+ */
+export interface GitHubTreeResponse {
+  sha: string;
+  url: string;
+  truncated: boolean;
+  tree: GitHubTreeEntry[];
+}
+
+export interface GitHubTreeEntry {
+  path: string;
+  mode: string;
+  type: 'blob' | 'tree';
+  sha: string;
+  size?: number;
+  url: string;
+}
