Skip to content

KernDX Pipeline v0.3.0

Latest
Latest

Choose a tag to compare

View all tags
@friskychicken friskychicken released this 15 Jun 12:58
· 10 commits to main since this release
pipeline-v0.3.0
This tag was signed with the committer’s verified signature.
friskychicken Jason van Beukering
SSH Key Fingerprint: 8Ik1B9D0Z1/VAuKKJ/NBS4JJMWUfLLhZ5IvMrP0op6Y
Verified
Learn about vigilant mode.
62e4cff
This commit was signed with the committer’s verified signature.
friskychicken Jason van Beukering
SSH Key Fingerprint: 8Ik1B9D0Z1/VAuKKJ/NBS4JJMWUfLLhZ5IvMrP0op6Y
Verified
Learn about vigilant mode.

[v0.3.0] — 2026-06-15

Distribution: KernDX-1.1.0-11-pipeline.zip. Ships alongside the framework as pipeline-v0.3.0 against framework release v1.1.0-11.

This release adds committed-secret scanning, surfaces every security-bypass call site for review, and teaches doctor to catch silent PMD-for-Apex version drift.

Added

  • secret-scan — committed-credential detection, wired as a CI gate. A new kerndx secret-scan command scans changed files for credentials that should never reach a repository, with patterns tuned for Salesforce: SFDX auth URLs (force://…), session/access tokens and OAuth refresh tokens, connected-app consumer secrets, Salesforce credential environment variables assigned a literal value, PEM private keys, and prefixed cloud keys (AWS, GitHub, Slack, Google). Detection is tiered: unambiguous credential shapes fail the PR's Secret Scan status check, while keyword-anchored assignments, JWTs, and generic credential literals are reported as advisories that flag a likely leak without blocking CI. It is deliberately quiet on look-alikes — bare org and record IDs, 18-character API names, UUIDs, hashes, and ${{ secrets.X }} templating are never flagged. kerndx init scaffolds the Secret Scan workflow, and preflight runs the same scan locally (advisory) before every push. Pairs with — does not replace — your Git host's native push protection.
  • KernSecurityBypassCallSite PMD rule (informational) — inventories every security-bypass call site (withSystemMode, bypassSharing, withoutSecurity, validation- and trigger-action bypasses) so a pull request that introduces a new bypass surfaces during review. Acknowledge expected call sites with @SuppressWarnings('PMD.KernSecurityBypassCallSite') or an inline // NOPMD comment stating the reason.

Changed

  • preflight now also runs secret-scan — the pre-push sequence is scan + secret-scan + naming (previously scan + naming).
  • doctor catches PMD-for-Apex version drift. doctor --verbose now surfaces the PMD Apex module version bundled inside Salesforce Code Analyzer — previously undetectable — and doctor warns when that bundled version moves past the version this pipeline has validated against, so a silent Code Analyzer upgrade can't change how your scans behave without telling you.

Install

unzip KernDX-1.1.0-11-pipeline.zip -d .kerndx-pipeline
(cd .kerndx-pipeline/pipeline && npm ci --omit=dev)
./.kerndx-pipeline/bin/kerndx init

See pipeline/INSTALL-PIPELINE.md in the bundle for the full guide (SHA verification, ESLint wire-up, upgrade flow).

Assets 3
Loading