Skip to content

chore: add security scans#76

Merged
GabrielVasilescu04 merged 1 commit intomainfrom
chore/add-security-scans
Oct 30, 2025
Merged

chore: add security scans#76
GabrielVasilescu04 merged 1 commit intomainfrom
chore/add-security-scans

Conversation

@GabrielVasilescu04
Copy link
Copy Markdown
Collaborator

@GabrielVasilescu04 GabrielVasilescu04 commented Oct 7, 2025

Description

Add FOSSA and CODEQL scans to the CI pipeline. Scans should only run on merges to main and if the CI is manually run

@GabrielVasilescu04 GabrielVasilescu04 self-assigned this Oct 7, 2025
github-advanced-security[bot]
github-advanced-security AI found potential problems Oct 7, 2025
View reviewed changes
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/security-scans.yml Fixed
Comment thread .github/workflows/security-scans.yml Fixed
Comment thread .github/workflows/security-scans.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Oct 9, 2025
View reviewed changes
Comment thread .github/workflows/ci.yml

test:
uses: ./.github/workflows/test.yml
uses: ./.github/workflows/test.yml No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 7 months ago

To fix the problem:

  • Add an explicit permissions: block at the top-level of .github/workflows/ci.yml, just below the workflow's name. This will ensure all jobs, except those with their own permissions block, have the minimum necessary privileges.
  • As a general least-privilege starting point, set contents: read, which is sufficient for most workflows needing to fetch code but not to write anything back to the repository or act on issues, etc.
  • If any downstream jobs/workflows specifically require additional permission, those should have their own explicit job-level permissions block.
  • To implement: Insert the following lines after name: CI and before on:.
Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
@GabrielVasilescu04 GabrielVasilescu04 merged commit 4218989 into main Oct 30, 2025
22 checks passed
@cristipufu cristipufu deleted the chore/add-security-scans branch November 30, 2025 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radu-mocanu radu-mocanu radu-mocanu approved these changes

@cristipufu cristipufu Awaiting requested review from cristipufu

Assignees

@GabrielVasilescu04 GabrielVasilescu04

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GabrielVasilescu04 @github-advanced-security @radu-mocanu