Add one-command security tools setup and pre-push scanning#1185
Open
John-David Dalton (jdalton) wants to merge 6 commits intomainfrom
Open
Add one-command security tools setup and pre-push scanning#1185John-David Dalton (jdalton) wants to merge 6 commits intomainfrom
John-David Dalton (jdalton) wants to merge 6 commits intomainfrom
Conversation
One command to set up AgentShield, zizmor, and Socket Firewall. Downloads binaries with SHA-256 verification, creates PATH shims (bash + Windows .cmd), and adds blocking scans to pre-push hook.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: SFW free shims disable SSL verification globally
- Removed the
export GIT_SSL_NO_VERIFY=trueline and its comment from the sfw-free shim generation code, eliminating the global SSL verification bypass.
- Removed the
Or push these changes by commenting:
@cursor push 6216e6d7db
Preview (6216e6d7db)
diff --git a/.claude/hooks/setup-security-tools/index.mts b/.claude/hooks/setup-security-tools/index.mts
--- a/.claude/hooks/setup-security-tools/index.mts
+++ b/.claude/hooks/setup-security-tools/index.mts
@@ -273,10 +273,6 @@
'fi',
)
}
- if (!isEnterprise) {
- // Workaround: sfw-free does not yet set GIT_SSL_CAINFO (temporary).
- bashLines.push('export GIT_SSL_NO_VERIFY=true')
- }
bashLines.push(`exec "${binaryPath}" "${realBin}" "$@"`)
const bashContent = bashLines.join('\n') + '\n'
const bashPath = path.join(shimDir, cmd)You can send follow-ups to the cloud agent here.
Bill Li (billxinli)
approved these changes
Apr 10, 2026
- Remove GIT_SSL_NO_VERIFY=true from SFW free shims (MITM risk) - Remove dead sha256File function and unused createReadStream/createHash imports - Fix pre-push: skip scan when no baseline exists instead of scanning all history - Fix pre-push: use remote_sha..local_sha for existing branches to avoid re-scanning already-pushed commits
Contributor
Author
|
Cursor (@cursor) review |
- Use $remote variable instead of hardcoded 'origin' in pre-push hook - Remove unused YELLOW color variable - Return false from setupSfw when no shims were created - Add sync note referencing .husky/security-checks.sh
Contributor
Author
|
Cursor (@cursor) review |
Windows .cmd shims for enterprise SFW had no equivalent of the bash shim's .env.local/.env file reading logic. Enterprise features would silently fail unless SOCKET_API_KEY was set as an OS-level env variable.
Contributor
Author
|
Cursor (@cursor) review |
1 similar comment
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Pre-checks may consume stdin, silently skipping commit validation
- Added
</dev/nullto both the agentshield and zizmor command invocations so they cannot consume the git ref data from stdin, ensuring the while-read loop processes all refs.
- Added
Or push these changes by commenting:
@cursor push 0fb9c637e2
Preview (0fb9c637e2)
diff --git a/.git-hooks/pre-push b/.git-hooks/pre-push
--- a/.git-hooks/pre-push
+++ b/.git-hooks/pre-push
@@ -27,7 +27,7 @@
# ============================================================================
if command -v agentshield >/dev/null 2>&1 || [ -x "$(pnpm bin 2>/dev/null)/agentshield" ]; then
AGENTSHIELD="$(command -v agentshield 2>/dev/null || echo "$(pnpm bin)/agentshield")"
- if ! "$AGENTSHIELD" scan --quiet 2>/dev/null; then
+ if ! "$AGENTSHIELD" scan --quiet 2>/dev/null </dev/null; then
printf "${RED}✗ AgentShield: security issues found in Claude config${NC}\n"
printf "Run 'pnpm exec agentshield scan' for details\n"
TOTAL_ERRORS=$((TOTAL_ERRORS + 1))
@@ -44,7 +44,7 @@
ZIZMOR="$HOME/.socket/zizmor/bin/zizmor"
fi
if [ -n "$ZIZMOR" ] && [ -d ".github/" ]; then
- if ! "$ZIZMOR" .github/ 2>/dev/null; then
+ if ! "$ZIZMOR" .github/ 2>/dev/null </dev/null; then
printf "${RED}✗ Zizmor: workflow security issues found${NC}\n"
printf "Run 'zizmor .github/' for details\n"
TOTAL_ERRORS=$((TOTAL_ERRORS + 1))You can send follow-ups to the cloud agent here.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 2f8e599. Configure here.
- Redirect agentshield and zizmor stdin from /dev/null to prevent them from consuming git's ref data pipe, which would cause the while-read loop to silently iterate zero times - Use computed range base instead of $remote_sha in rebase suggestion so new-branch pushes don't print the zero SHA
Contributor
Author
|
Cursor (@cursor) review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
/setup-security-toolscommandOne command to download and configure all three security tools:
Prompts for a Socket API key (enterprise features), downloads binaries with SHA-256 verification, creates PATH shims (bash + Windows .cmd).
Pre-push scanning
Adds AgentShield + zizmor blocking scans to the pre-push hook. Every push is automatically checked.
Files
.claude/hooks/setup-security-tools/— setup script + README.claude/commands/setup-security-tools.md— the slash command.git-hooks/pre-push— updated with security pre-checks.claude/skills/security-scan/SKILL.md— cross-references the hook.gitignore— tracks hooks and settingsNote
Medium Risk
Adds a new mandatory
pre-pushgate that can block pushes and introduces a script that downloads/executes external binaries (zizmor/SFW), so misconfiguration or platform edge cases could impact developer workflows.Overview
Introduces a new
/setup-security-toolscommand and accompanying hook that sets up AgentShield, zizmor, and Socket Firewall (SFW) for local use, including SHA-256–verified binary downloads, caching under~/.socket/, and PATH shims for supported package managers (with optional enterprise mode viaSOCKET_API_KEY).Adds a
.git-hooks/pre-pushhook that runs AgentShield and zizmor scans and blocks pushes on findings, plus commit-message AI attribution checks and secret/file hygiene checks. Updates.gitignoreto allow committing.claude/hooks/andsettings.json, and documents the new setup in the security scan skill/readmes.Reviewed by Cursor Bugbot for commit bf5169b. Configure here.