mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-20 09:17:51 +00:00
6de9d71bfb
* feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows [AI-assisted]
Stand up an end-to-end pipeline that turns every published openclaw GitHub
Security Advisory into a reusable OpenGrep rule, and wire the compiled rules
into manual-dispatch GitHub Actions workflows that publish SARIF to GitHub
Code Scanning.
The pipeline is harness-agnostic: any coding-agent CLI (Rovo Dev, Claude
Code, Codex, OpenCode, or anything you can shell out to) can drive it via
the runner script's --harness flag. Built-in adapters cover the four common
harnesses; --harness-cmd '<template>' supports anything else with shell-style
{prompt}/{model}/{output_file} substitution.
Pipeline pieces:
- scripts/run-ghsa-detector-review-batch.mjs runs your chosen coding harness
in parallel against every advisory using the agent-agnostic detector-review
spec at security/detector-review/detector-review-spec.md. Each case
produces an opengrep general-rule.yml (precise) and broad-rule.yml
(review-aid), plus a coverage-validated report against the vulnerable
commit's changed files.
- scripts/compile-opengrep-rules.mjs walks a run directory, rewrites each
rule's id to ghsa-detector.<ghsa>.<orig-id>, injects ghsa/advisory-url/
detector-bucket/source-rule-id metadata, and uses opengrep itself to drop
rules with InvalidRuleSchemaError so the published super-configs load
cleanly.
Compiled outputs:
- security/opengrep/precise.yml (336 rules)
- security/opengrep/broad.yml (459 rules)
- security/opengrep/compile-manifest.json (per-rule provenance map)
CI workflows (manual workflow_dispatch only):
- .github/workflows/opengrep-precise.yml
- .github/workflows/opengrep-broad.yml
Both install a pinned opengrep, run opengrep scan against src/, upload SARIF
to Code Scanning under categories opengrep-precise / opengrep-broad, and use
continue-on-error: true so findings never block the workflow.
Detector-review spec and assets:
- security/detector-review/detector-review-spec.md the agent-agnostic spec
the runner injects into each per-case prompt
- security/detector-review/references/{detector-rubric,report-template}.md
- security/detector-review/scripts/init_case.py
- security/prompt-suffix-coverage-first.md mandatory prompt addendum that
enforces coverage-first validation (rule must catch the OG vuln, not just
pass synthetic fixtures)
Docs:
- security/README.md end-to-end flow, supported harnesses, regen recipe
- security/opengrep/README.md compiled-config details + recompile recipe
* security: tighten GHSA OpenGrep detector workflow
* chore: refine precise opengrep workflow
* chore: remove stale opengrep metadata
* fix: harden GHSA OpenGrep workflow
* ci: split OpenGrep diff and full scans
* chore: remove performance-only opengrep rule
* ci: use OpenGrep installer path
* chore: enforce opengrep rule metadata provenance
* chore: generalize opengrep rule compilation
* docs: align opengrep rulepack guidance
* chore: support generic opengrep rule sources
* fix: validate opengrep rulepack-only changes
---------
Co-authored-by: Jesse Merhi <security-engineering@atlassian.com>
|
||
|---|---|---|
| .. | ||
| audit-seams.test.ts | ||
| barnacle-auto-response.test.ts | ||
| blacksmith-testbox-runner.test.ts | ||
| blacksmith-testbox-state.test.ts | ||
| build-all.test.ts | ||
| bundle-a2ui.test.ts | ||
| bundled-plugin-build-entries.test.ts | ||
| bundled-plugin-staged-runtime-deps.test.ts | ||
| changed-lanes.test.ts | ||
| channel-contract-test-plan.test.ts | ||
| check-changelog-attributions.test.ts | ||
| check-channel-agnostic-boundaries.test.ts | ||
| check-cli-bootstrap-imports.test.ts | ||
| check-deadcode-unused-files.test.ts | ||
| check-dynamic-import-warts.test.ts | ||
| check-extension-package-tsc-boundary.test.ts | ||
| check-extension-wildcard-reexports.test.ts | ||
| check-file-utils.test.ts | ||
| check-gateway-watch-regression.test.ts | ||
| check-no-conflict-markers.test.ts | ||
| check-no-random-messaging-tmp.test.ts | ||
| check-no-raw-window-open.test.ts | ||
| check-openclaw-package-tarball.test.ts | ||
| check-opengrep-rule-metadata.test.ts | ||
| check-plugin-sdk-wildcard-reexports.test.ts | ||
| check-runtime-sidecar-loaders.test.ts | ||
| ci-node-test-plan.test.ts | ||
| ci-run-timings.test.ts | ||
| close-duplicate-prs-after-merge.test.ts | ||
| committer.test.ts | ||
| docker-all-scheduler.test.ts | ||
| docker-build-helper.test.ts | ||
| docker-e2e-plan.test.ts | ||
| extension-source-classifier.test.ts | ||
| gh-read.test.ts | ||
| install-ps1.test.ts | ||
| install-sh.test.ts | ||
| ios-pin-version.test.ts | ||
| ios-team-id.test.ts | ||
| ios-version.test-support.ts | ||
| ios-version.test.ts | ||
| lint-suppressions.test.ts | ||
| live-docker-stage.test.ts | ||
| local-heavy-check-runtime.test.ts | ||
| managed-child-process.test.ts | ||
| npm-runner.test.ts | ||
| npm-telegram-live.test.ts | ||
| openclaw-cross-os-release-checks.test.ts | ||
| openclaw-cross-os-release-workflow.test.ts | ||
| openclaw-test-state.test.ts | ||
| oxlint-config.test.ts | ||
| package-acceptance-workflow.test.ts | ||
| parallels-npm-update-smoke.test.ts | ||
| parallels-smoke-model.test.ts | ||
| plugin-boundary-report.test.ts | ||
| plugin-contract-test-plan.test.ts | ||
| plugin-gateway-gauntlet.test.ts | ||
| plugin-prerelease-test-plan.test.ts | ||
| plugin-update-unchanged-docker.test.ts | ||
| pnpm-audit-prod.test.ts | ||
| pnpm-runner.test.ts | ||
| postinstall-bundled-plugins.test.ts | ||
| preinstall-package-manager-warning.test.ts | ||
| prepare-extension-package-boundary-artifacts.test.ts | ||
| resolve-openclaw-package-candidate.test.ts | ||
| root-dependency-ownership-audit.test.ts | ||
| root-package-overrides.test.ts | ||
| run-additional-boundary-checks.test.ts | ||
| run-opengrep.test.ts | ||
| run-oxlint.test.ts | ||
| run-tsgo.test.ts | ||
| run-vitest-profile.test.ts | ||
| run-vitest.test.ts | ||
| runtime-postbuild-stamp.test.ts | ||
| runtime-postbuild.test.ts | ||
| sbom-risk-report.test.ts | ||
| stage-bundled-plugin-runtime-deps.test.ts | ||
| stage-bundled-plugin-runtime.test.ts | ||
| test-extension.test.ts | ||
| test-group-report.test.ts | ||
| test-helpers.ts | ||
| test-install-sh-docker.test.ts | ||
| test-live-cli-backend-docker.test.ts | ||
| test-live-shard.test.ts | ||
| test-projects.test.ts | ||
| test-report-utils.test.ts | ||
| testbox-sync-sanity.test.ts | ||
| ts-guard-utils.test.ts | ||
| ts-topology.test.ts | ||
| tsdown-build.test.ts | ||
| ui.test.ts | ||
| verify-docker-attestations.test.ts | ||
| vitest-local-scheduling.test.ts | ||
| vitest-process-group.test.ts | ||
| vitest-shard-timings.test.ts | ||
| write-cli-startup-metadata.test.ts | ||