From ff185a9bce3c19d697f4a56e2a9e319899b583b6 Mon Sep 17 00:00:00 2001 From: nitrax Date: Thu, 16 Apr 2026 10:37:26 +0200 Subject: [PATCH 1/4] Enabling dd sync and deleting whitelisted query --- .github/security-config.toml | 4 +--- .github/workflows/security.yml | 3 +++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/security-config.toml b/.github/security-config.toml index ac4dd45..725b2be 100644 --- a/.github/security-config.toml +++ b/.github/security-config.toml @@ -5,12 +5,10 @@ path = "." [kics] platform = "Dockerfile" -exclude_queries = ["fd54f200-402c-4333-a5a4-36ef6709af2f"] [grype] ignore_states = "not-fixed,unknown,wont-fix" transitive_libraries = false [opengrep] -exclude = ["*_test.go", "docker-compose.yml", "Dockerfile"] -exclude_rule = ["go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"] \ No newline at end of file +exclude = ["*_test.go", "docker-compose.yml", "Dockerfile"] \ No newline at end of file diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index cfc25a3..5b228cd 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -30,8 +30,11 @@ jobs: docker run --rm \ -v "$GITHUB_WORKSPACE:/tmp/data" \ -e SCAN_DIR=/tmp/data \ + -e DD_URL=${{ secrets.DD_URL }} + -e DD_ACCESS_TOKEN=${{ secrets.DD_ACCESS_TOKEN }} ghcr.io/paranoihack/scopeguardian:${{ vars.SG_VERSION }} \ --projectName ScopeGuardian \ --branch "${{ github.ref_name }}" \ --threshold "critical=1,high=1,medium=1,low=1" \ + --sync \ /tmp/data/.github/security-config.toml \ No newline at end of file From 4c89d6fa138c373d1a5cf08917852b1c123c679d Mon Sep 17 00:00:00 2001 From: nitrax Date: Thu, 16 Apr 2026 10:40:16 +0200 Subject: [PATCH 2/4] Fixing typos for multi lines command --- .github/workflows/security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 5b228cd..f01a340 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -30,8 +30,8 @@ jobs: docker run --rm \ -v "$GITHUB_WORKSPACE:/tmp/data" \ -e SCAN_DIR=/tmp/data \ - -e DD_URL=${{ secrets.DD_URL }} - -e DD_ACCESS_TOKEN=${{ secrets.DD_ACCESS_TOKEN }} + -e DD_URL=${{ secrets.DD_URL }} \ + -e DD_ACCESS_TOKEN=${{ secrets.DD_ACCESS_TOKEN }} \ ghcr.io/paranoihack/scopeguardian:${{ vars.SG_VERSION }} \ --projectName ScopeGuardian \ --branch "${{ github.ref_name }}" \ From de1794e9669afce1ddfbb53cbf53f7d2619ce977 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 08:53:39 +0000 Subject: [PATCH 3/4] Fix branch ref and missing secrets inheritance in security workflow Agent-Logs-Url: https://github.com/ParanoiHack/ScopeGuardian/sessions/ca13f120-b73d-4ce8-968e-d6b437024dff Co-authored-by: Nitr4x <10544300+Nitr4x@users.noreply.github.com> --- .github/workflows/ci.yml | 1 + .github/workflows/security.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8f63f3..4724e43 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,7 @@ jobs: name: Security needs: test uses: ./.github/workflows/security.yml + secrets: inherit permissions: contents: read packages: read diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f01a340..748df25 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -34,7 +34,7 @@ jobs: -e DD_ACCESS_TOKEN=${{ secrets.DD_ACCESS_TOKEN }} \ ghcr.io/paranoihack/scopeguardian:${{ vars.SG_VERSION }} \ --projectName ScopeGuardian \ - --branch "${{ github.ref_name }}" \ + --branch "${{ github.head_ref || github.ref_name }}" \ --threshold "critical=1,high=1,medium=1,low=1" \ --sync \ /tmp/data/.github/security-config.toml \ No newline at end of file From e38a7b92b1405f26a0894111203eb7082522934a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 09:00:54 +0000 Subject: [PATCH 4/4] Fix shell injection: move github context vars to env in security.yml Agent-Logs-Url: https://github.com/ParanoiHack/ScopeGuardian/sessions/a344e562-fac8-4005-80f1-9ab20bf3c9ee Co-authored-by: Nitr4x <10544300+Nitr4x@users.noreply.github.com> --- .github/workflows/security.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 748df25..6191591 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,15 +26,20 @@ jobs: run: test -f "$GITHUB_WORKSPACE/.github/security-config.toml" - name: Run ScopeGuardian + env: + DD_URL: ${{ secrets.DD_URL }} + DD_ACCESS_TOKEN: ${{ secrets.DD_ACCESS_TOKEN }} + SG_VERSION: ${{ vars.SG_VERSION }} + BRANCH: ${{ github.head_ref || github.ref_name }} run: | docker run --rm \ -v "$GITHUB_WORKSPACE:/tmp/data" \ -e SCAN_DIR=/tmp/data \ - -e DD_URL=${{ secrets.DD_URL }} \ - -e DD_ACCESS_TOKEN=${{ secrets.DD_ACCESS_TOKEN }} \ - ghcr.io/paranoihack/scopeguardian:${{ vars.SG_VERSION }} \ + -e DD_URL="$DD_URL" \ + -e DD_ACCESS_TOKEN="$DD_ACCESS_TOKEN" \ + "ghcr.io/paranoihack/scopeguardian:$SG_VERSION" \ --projectName ScopeGuardian \ - --branch "${{ github.head_ref || github.ref_name }}" \ + --branch "$BRANCH" \ --threshold "critical=1,high=1,medium=1,low=1" \ --sync \ /tmp/data/.github/security-config.toml \ No newline at end of file