vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-20 09:17:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 18
openclaw/test
History
Jesse Merhi 6de9d71bfb
feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows (#69483) 
* feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows [AI-assisted]

Stand up an end-to-end pipeline that turns every published openclaw GitHub
Security Advisory into a reusable OpenGrep rule, and wire the compiled rules
into manual-dispatch GitHub Actions workflows that publish SARIF to GitHub
Code Scanning.

The pipeline is harness-agnostic: any coding-agent CLI (Rovo Dev, Claude
Code, Codex, OpenCode, or anything you can shell out to) can drive it via
the runner script's --harness flag. Built-in adapters cover the four common
harnesses; --harness-cmd '<template>' supports anything else with shell-style
{prompt}/{model}/{output_file} substitution.

Pipeline pieces:

- scripts/run-ghsa-detector-review-batch.mjs runs your chosen coding harness
  in parallel against every advisory using the agent-agnostic detector-review
  spec at security/detector-review/detector-review-spec.md. Each case
  produces an opengrep general-rule.yml (precise) and broad-rule.yml
  (review-aid), plus a coverage-validated report against the vulnerable
  commit's changed files.
- scripts/compile-opengrep-rules.mjs walks a run directory, rewrites each
  rule's id to ghsa-detector.<ghsa>.<orig-id>, injects ghsa/advisory-url/
  detector-bucket/source-rule-id metadata, and uses opengrep itself to drop
  rules with InvalidRuleSchemaError so the published super-configs load
  cleanly.

Compiled outputs:

- security/opengrep/precise.yml     (336 rules)
- security/opengrep/broad.yml       (459 rules)
- security/opengrep/compile-manifest.json    (per-rule provenance map)

CI workflows (manual workflow_dispatch only):

- .github/workflows/opengrep-precise.yml
- .github/workflows/opengrep-broad.yml

Both install a pinned opengrep, run opengrep scan against src/, upload SARIF
to Code Scanning under categories opengrep-precise / opengrep-broad, and use
continue-on-error: true so findings never block the workflow.

Detector-review spec and assets:

- security/detector-review/detector-review-spec.md   the agent-agnostic spec
  the runner injects into each per-case prompt
- security/detector-review/references/{detector-rubric,report-template}.md
- security/detector-review/scripts/init_case.py
- security/prompt-suffix-coverage-first.md   mandatory prompt addendum that
  enforces coverage-first validation (rule must catch the OG vuln, not just
  pass synthetic fixtures)

Docs:

- security/README.md          end-to-end flow, supported harnesses, regen recipe
- security/opengrep/README.md compiled-config details + recompile recipe

* security: tighten GHSA OpenGrep detector workflow

* chore: refine precise opengrep workflow

* chore: remove stale opengrep metadata

* fix: harden GHSA OpenGrep workflow

* ci: split OpenGrep diff and full scans

* chore: remove performance-only opengrep rule

* ci: use OpenGrep installer path

* chore: enforce opengrep rule metadata provenance

* chore: generalize opengrep rule compilation

* docs: align opengrep rulepack guidance

* chore: support generic opengrep rule sources

* fix: validate opengrep rulepack-only changes

---------

Co-authored-by: Jesse Merhi <security-engineering@atlassian.com>
2026-04-30 02:42:20 +10:00
..
fixtures chore: tighten plugin boundary export audit 2026-04-27 11:47:09 +01:00
helpers test: tolerate opencl live stt transcript variant 2026-04-29 14:37:28 +01:00
mocks fix(whatsapp): write creds.json atomically (#63577) 2026-04-16 02:44:46 -03:00
scripts feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows (#69483) 2026-04-30 02:42:20 +10:00
vitest chore: remove unused internal entrypoints 2026-04-29 11:35:34 +01:00
appcast.test.ts
architecture-smells.test.ts perf: cache guard inventory checks 2026-04-25 10:02:02 +01:00
cli-json-stdout.e2e.test.ts style: format sdk helper imports 2026-04-28 04:20:49 +01:00
extension-import-boundaries.test.ts test: speed up import-heavy tests 2026-04-25 11:04:16 +01:00
extension-package-tsc-boundary.test.ts perf(test): isolate core test hotspots 2026-04-25 03:41:17 +01:00
extension-test-boundary.test.ts test: guard broad plugin resolver fixtures 2026-04-29 06:46:02 +01:00
gateway.multi.e2e.test.ts test: harden live release checks 2026-04-27 15:11:46 +01:00
git-hooks-pre-commit.test.ts fix(git-hooks): skip ignored staged paths 2026-04-27 11:12:55 +01:00
global-setup.ts
image-generation.infer-cli.live.test.ts fix: serialize bundled runtime dependency repair 2026-04-24 20:44:56 +01:00
image-generation.runtime.live.test.ts test: stabilize release live e2e probes 2026-04-29 16:32:05 +01:00
non-isolated-runner.ts
npm-publish-plan.test.ts
official-channel-catalog.test.ts style: format sdk helper imports 2026-04-28 04:20:49 +01:00
openclaw-launcher.e2e.test.ts fix(cli): disable source checkout compile cache 2026-04-27 23:28:17 +01:00
openclaw-npm-postpublish-verify.test.ts style: format repository 2026-04-26 05:47:12 +01:00
openclaw-npm-release-check.test.ts fix(build): stamp runtime postbuild artifacts 2026-04-28 07:56:08 +01:00
openclaw-prepack.test.ts fix(plugins): localize bundled runtime deps to extensions (#67099) 2026-04-15 12:04:31 +01:00
plugin-clawhub-release.test.ts test: share clawhub release tooling fixture 2026-04-20 17:42:42 +01:00
plugin-extension-import-boundary.test.ts
plugin-npm-release.test.ts test: use public plugin sdk test fixtures 2026-04-28 03:52:38 +01:00
qa-convex-credential-payload-validation.test.ts test(qa): validate Discord Convex credential payloads (#70910) 2026-04-23 20:35:54 -07:00
release-check.test.ts fix(plugins): simplify bundled runtime deps staging 2026-04-29 17:04:56 +01:00
setup-home-isolation.test.ts
setup-openclaw-runtime.ts refactor: simplify plugin cache boundaries 2026-04-29 04:33:15 +01:00
setup.extensions.ts
setup.shared.ts refactor(plugins): simplify plugin cache boundaries 2026-04-29 03:52:22 +01:00
setup.ts
test-env.test.ts test: use public plugin sdk test fixtures 2026-04-28 03:52:38 +01:00
test-env.ts test: slim live auth staging 2026-04-23 05:22:37 +01:00
test-helper-extension-import-boundary.test.ts test: speed up changed unit checks 2026-04-25 09:27:59 +01:00
tsconfig.json chore: update dependencies and oxc tooling 2026-04-10 19:28:42 +01:00
ui.presenter-next-run.test.ts test: fix ui presenter next run test for multi-language environments (#60231) 2026-04-22 20:26:44 -07:00
vitest-boundary-config.test.ts test: align Vitest config path assertions 2026-04-10 15:49:37 +01:00
vitest-extensions-config.test.ts test: use public plugin sdk test fixtures 2026-04-28 03:52:38 +01:00
vitest-light-paths.test.ts
vitest-performance-config.test.ts
vitest-projects-config.test.ts test(ci): align commands vitest pool expectation 2026-04-29 06:28:08 +01:00
vitest-scoped-config.test.ts test(ci): align scoped commands pool expectation 2026-04-29 06:35:35 +01:00
vitest-ui-package-config.test.ts
vitest-unit-config.test.ts test: split ui unit tests from generic lane 2026-04-27 08:35:04 +01:00
vitest-unit-fast-config.test.ts test(ci): add plugin prerelease suite to CI (#73741) 2026-04-28 14:52:03 -07:00
vitest-unit-paths.test.ts test: use public plugin sdk test fixtures 2026-04-28 03:52:38 +01:00
web-provider-boundary.test.ts test: use public plugin sdk test fixtures 2026-04-28 03:52:38 +01:00